Here is another contribution to the on-going debate and all-round soul-searching in the wake of the recent PRISM revelations. The key issue that is emerging here, and one that must be a concern to many businesses, is that they really do need to show a great deal of interest in just where in the world their data is stored.
Indeed, it might even be necessary to show interest in managing the routing that data takes when being moved between one location and another. A growing number of press reports suggest that a high proportion of such movements are directed by systems made by Chinese communications systems giant, Huawei, and doubts have already been widely expressed about dubious data routings this company’s systems may have used.
All in all, the aftermath of the PRISM revelations could lead to significant changes in the way businesses set about managing and securing their cloud operations in future. Without clarity on data location it will become increasingly difficult to maintain and grow trust in the cloud.
This latest contribution to the debate comes from the APM Group, the Cloud Industry Forum’s (CIF) independent certification partner. According to Richard Pharro, APM Group’s CEO, the case casts light on the important questions end users need to be asking of their Cloud Service Providers (CSPs), if they are to prevent their data from unwittingly being stored in undesirable jurisdictions.
“This latest episode will have revealed a blind spot for cloud users, many of whom remain in the dark about precisely where their data is being stored and who has access to it,” he said. “Moving data to the cloud can often mean it is hosted in another country and subject to different data laws. Privacy laws are not standardised across Europe, and as we have seen, even countries with quite strict legislation have anti-terrorism laws that can allow governments to access your data. Businesses have the right to know where their sensitive and confidential information is being stored, and what protection and legislation this data is subject to.
“In order to understand the best fit of cloud, it is important that organisations are able to make a practical assessment of the criteria that will help define the options possible. Key to this is knowing the questions to ask your CSP, pertaining to things like data sovereignty, data security, and interoperability, as well as business continuity planning, operational transparency and capability. On balance, and depending on the type of data being stored, businesses may want to seek out jurisdictions with more favourable privacy laws, like France or Germany.”
Pharro pointed to the CIF Code of Practice as a means for end users to sift through reputable suppliers and find a CSP that best suits their needs.
“CSPs that certify against the Code of Practice are required to make public their approach to transparency, capability and accountability, and their data handling practices, including where data is stored. In short, the information that an end user would need to be able to make an informed choice about their CSP that meets their data handling and storage requirements.”
The long term fall out from the PRISM scandal could yet radically change the business models of the CSPs themselves. If the users’ views on the operational rules change sufficiently, CSPs will need to offer a wide range of multiple locations so that users can select where data is stored.
They will also need to address issues of partnership with other CSPs operating in locations they do not serve themselves. And there will need to be clear protocols and policies in place for the movement of data between those approved locations.
The one thing that is now highly likely is that this will bring an end to the selection of cloud services on the basis of price alone. The service assurances that users are now likely to seek will cost CSPs money to provide, so the cost of cloud services may well creep upwards as a result.