There’s no doubt that cloud computing can offer significant advantages for many businesses. The ability to access an extensible, flexible infrastructure without the overhead associated of of the typical DIY approach can deliver substantial cost and operational benefits to many businesses. However, many industries, either through law or by preference, can’t use offshore cloud providers.
A recent study by Gartner says that “public cloud computing solutions are being driven predominately by U.S.-based suppliers and are being delivered through data centers being built in the U.S. Therefore, although the dynamics driving the demand for public cloud computing are largely consistent, there is a significant difference in its supply dynamics. This has created anxiety for non-U.S. enterprise IT organizations, because the location of data creates a new set of risk management contingencies.”
That challenge is one that is now being faced by many companies and it can have significant legal implications. In Singapore Monetary Authority of Singapore can jail or fine companies that don’t carry out appropriate due diligence. The Australian Prudential Regulatory Authority (APRA) has written an open letter to financial bodies advising executives to evaluate cloud computing as a new form of outsourcing or offshoring that requires APRA's approval. The European Union has issued a directive stating that that the transfer of personal data outside the EU can only be done where the country in question provides an adequate level of protection.
Data sovereignty is a broad term that covers the consideration of what laws and regulations are in play when data from one country is stored in another country. For example, if data from a French company is stored in servers held in the United States - whose laws preside if there’s a problem? A quick look at the consumer focussed Dropbox service reveals that the service is provided with an “all care no responsibility” attitude. There’s no warranty or protection that’s guaranteed for data and any legal issues will need to be pursued in San Francisco. While that’s a consumer service, it highlight issues that commercial entities need to be cognisant of.
In Australia, there are legal considerations regarding privacy. The Australian Privacy Commissioner has published a series of principles that companies are expected to adhere to when handling customer data. Principle 9 deals specifically with “transborder data flows”. What’s clear from the guidelines is that there are some significant obligations on companies when using out-of-country storage services.
In effect, the Australian Privacy Commissioner expects companies to either get the consent of customers when storing their data offshore or to assess that the customer would give their consent if it were reasonable to ask them. Any business considering offshoring customer data should read the privacy principles and get appropriate legal counsel.
Over recent weeks, there’s been speculation that Amazon will be opening a local data centre for its Australian customers. Vince Lee, Regional Manager in Australia/New Zealand for SafeNet says that while an Australian AWS hosting facility will lessen data sovereignty risks for some, organisations should be careful not to confuse data sovereignty with data security.
From a risk management point of view, using locally hosted cloud storage providers only mitigates some risks. While legal issues may be more easily managed, the same issues remain as for any outsourced infrastructure solution.
Lee also says that “Hosting data locally has certain advantages for government and financial
organisations, for example, that can rely upon the enforcement of laws within their local
jurisdictions to strengthen their control over information. But the protection onshore hosting
affords most organisations is fairly limited and could possibly be outweighed by the additional
costs involved. What’s more, onshore hosting does not address data security concerns which remain
the number one barrier to most organisations adopting cloud computing.”
CIO Data Sovereignty Checklist
1 - What are the local laws regarding offshoring data?
2 - Have you done your complete risk analysis covering both sovereignty and security issues?
3 - What’s your customer communication strategy?