Data compliance beyond borders - why we should be paying attention

Opinion Davey Winder Apr 15, 2013

Regulating the cloud is a challenge that's yet to be sorted but users should still pay attention to issues of data compliance

Regulating the cloud has, like the Internet itself, been compared to herding cats: so difficult as to border on the impossible. Border is the operative word here: one of the features of cloud computing is that it doesn't recognise boundaries, be they international or industrial in nature.

As far as both are concerned, data is data and it matters not as little to it if that data is from the financial or manufacturing sectors as it does whether it ends up being stored in Newcastle or New York. Yet these things do matter, critically in many cases, to the business pushing their data into the cloud. Government and industry-specific regulatory compliance has long been a sticking point, and one of the issues preventing the short-sighted enterprise from taking a broader business view of the cloud.

Yes, as regular Cloud Pro readers will have twigged, I'm talking about data sovereignty again. However, the same 'memory of an elephant' brigade will no doubt have also noticed that the not like herding cats comment might suggest that I have changed my stance from a year ago; and they would be wrong.

Compliance has long been one of the issues preventing the short-sighted enterprise from taking a broader business view of the cloud

Somewhat ironically, almost exactly a year ago, right here at Cloud Pro, I stated that "Almost exactly a year ago the Director of Security for Google Apps, Eran Feigenbaum, was telling anyone who would listen that the geographical location of data in the cloud wasn't a priority issue and that people should focus their concerns on the privacy and security of that data instead. Feigenbaum even went as far in one online interview as to suggest that to do otherwise was an "old way of thinking" at the time. Well I'm sorry Eran, but you were wrong then and you are wrong now."

I haven't changed my stance on the small matter of where data is stored within the borderless cloud as being a damn big compliance problem, and not just for certain tightly regulated industries but for anyone that truly respects the privacy of the data concerned.

If you read to the end of that piece from last year you will notice how I stated quite categorically that "data sovereignty is nothing new and has been an issue since the first cheap offshore data centres hit the scene". I pointed out that was really happening was, that in the rush to adopt the cloud model, certain legislative nuts had been allowed to loosen off to the point where the wheels had fallen off the compliance wagon.

What I am saying now is that both the cloud industry itself, and the understanding of those companies looking to exploit it, have matured to the point where regulatory compliance is not only possible but practical and straightforward. Whether you are a US-based business needing to comply with homegrown compliance issues, or a European one covered by ever-tightening EU regulation, there is a cloud solution available and these are not exactly hiding from view.

The problem, and it's this that leads the misinformed to shout 'impossible to regulate, run away' at the mere mention of cloud adoption, is that the big players at the forefront of the cloud provision business right now are not the providers of those solutions. Give them time though, and clouds-within-clouds will certainly appear; regulatory compliant, geographically sandboxed and no doubt offered at a premium price point.

In the meantime it's just a matter of due diligence, and understanding that cost as a driver is not just all about the bottom line number. So take the time to research the options available, and take the time to be less myopic when it comes to total service provision. Which means asking questions that if treated as 'awkward' by the potential CSP indicate it's not the right provider for you. Written agreements covering how, including the where, data is processed should not be considered toxic.

This doesn't, for EU-based businesses, necessarily mean that the US is a non-starter. Although when it comes to data protection, for example, the US isn't on the EC list of approved handlers there is a get out in as far as cloud vendors which have signed the US 'Safe Harbor' agreement are allowed, and this provides additional safeguards against state snooping.

Within the UK itself, the Data Protection Act does allow you to move your data to a non-listed country as long as you have conducted adequate assessments or get the permission of the Information Commissioner. Industry-specific regulatory compliance standards are a different kettle of fish, but if you are covered by these then you already know the kind of questions that need to be asked and the answers that must be given. The good news is that in-country guaranteed niche hosting doesn't have to cost a fortune, and sourcing it doesn't have to be a nightmare.

There is no doubt in my mind that, as far as regulating the cloud is concerned, there's still a long way to go. It's an evolutionary process and one that has yet to climb the curve and reach the other side. But it's far from being in such a state that the cloud still has data protection hazard warning signs plastered all over it. 

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.