Knowing who is responsible for what is more important than where when it comes to the cloud and data
Blogs | 15 Jun 2012 :
Cloud computing has undoubtedly opened up entirely new possibilities for businesses and end users to create and employ new services that would have been inconceivable before. But a vexing question around cloud is that it not only blurs the boundaries of services and organisations, it also blurs the boundaries of both geographical and political entities.
Megan Richards, deputy director general of Information Society and Media for the European Commission, was addressing just that issue this week
"You shouldn't care where the data is as long as it is secure and meets regulatory requirements, so now the question is how to ensure that-how to make sure that when we use cloud resources, personal data does meet those requirements," said Richards.
Richards went on to say that new data protection legislation is currently passing through the European Parliament, as part of its European Cloud Computing Strategy, which will aim to address these issues. The proposals will be finalised within the next year and come into effect within the next two and a half years.
That sounds quite comforting except for the fact that the timeline is a little, shall we say, glacial.
Things move quickly in the world of technology, and that is even more so in terms of cloud computing. So let's take one of the largest data repositories that is likely to be affected by these laws as an example. Two and half years ago, at the beginning of 2010, according to InsideFacebook.com, the total number of Facebook users was around 400 million. Today, midway through 2012, that number stands at around 900 million, according to Wikipedia (OK, so not necessarily the most accurate reference source ever, but you get the point).
Two and a half years is an eternity and many more complications and permutations of what happens to data in the cloud will have emerged by then rendering the law, unless it is exceptionally skilfully drafted, more than likely obsolete on its first day.
The other reaction that is prompted by this statement from Richards is, "well, duh!"
This is a blindingly obvious conclusion and one that should have been legislated long before this, but it does not only apply to the personal preferences of Facebook users. There are many businesses that actually have a working revenue model that collect data on their customers and have distinct obligations around. These businesses are worried about employing cloud services, despite their obvious benefits, in case they cannot meet their compliance obligations.
Some businesses have considered that availability can become secondary to regulatory obligations when business data could potentially cross certain boundaries. For example, if sensitive data should suddenly become subject to the Patriot Act or equivalent (and yes, there are equivalents, though not all are so well defined) as a result of an application or virtual machine (VM) failing over from a primary to a support provider, does that mean it is better that the data becomes unavailable rather than break a compliance obligation?
The point is that organisations still need to ask the question of where the data can go in all eventualities, not just in a primary failure, but in multiple steps down the line. They need to ask about the stance of each provider in the chain and whether their respective obligations may clash. Organisations need to be aware of end user licence agreements (EULA) to be sure that they are not signing away rights to data or rights to recompense should any of these conditions be broken. This applies whether the service being used is Amazon's ECS or Dropbox. If smaller businesses are to engage fully with the cloud, and their customers are ever to have confidence in such services, then everyone in the chain must be made more aware of not only the mechanisms, but also the risks and responsibilities.
Richard's legislation is to be welcomed, but it should also be expedited and perhaps accompanied by an exhortation to the likes of Dropbox and others to simplify terms and conditions. As of time of writing the Dropbox terms of service and privacy statements, by far the least offender in this area, totalled more than 4,000 words.