Understanding the laws of the land

Understanding the laws of the land

Summary: Many people have become fixated with issues of security in the cloud. For some it seems to be the first and last thing they think of when exploring the concept.


Many people have become fixated with issues of security in the cloud. For some it seems to be the first and last thing they think of when exploring the concept. But technological advancements, including those I discussed in my previous post about secure compute pools, are making the security question a less daunting one. Where factors are more out of the hands of the business are jurisdictional constraints about how data is stored.

A recent blog in the Back Office section of this site discussed the risks that you face if data is held in the US, where the Patriot Act allows gives law enforcement great freedom to ‘explore’ your data. In the example given, the FBI swooped on a data centre to seize data from a single account. The agents were unable to identify the relevant server and so took complete racks in the course of their investigation. As a result, quite a few business websites simply disappeared – and their data too. The message here is that your data, even if your business is carried out in Indonesia for example, is subject to these jurisdictions.

It can also be important to know which countries your cloud provider operates in. Even if your data does not leave your local country, if the provider is a US based company, US jurisdiction can apply to your data. This was highlighted recently when Microsoft was introducing a new cloud service and admitted that data stored in Europe could be accessed by US authorities.

In the UK and Europe we have legislation such as the Freedom of Information Act, EU Data Protection Directive or the banking-driven Basel II to consider. The US Sarbanes-Oxley Act from 2002 also imposes laws on the retention of data. It’s fair to say that the legislation surrounding use of the cloud is a topic for significant consideration (though in reality, it’s already the case for any data you hold that it is subject to numerous and complex standards and laws).

The type of data you store in the cloud can also have an impact on where it can be located and how it is managed – legislation normally relates to certain types of personal/medical data and where this can be stored. For commercial data it is down to to owner to understand the impact of where the data is stored and to assess the implication of legislation on their business.

Whether or not laws are changed, the issues need to be presented in a transparent fashion – and hence widely understood. Where many of us in the industry will be comfortable with a solid piece of technological advancement, we don’t have the legal know-how to navigate a legislative minefield.

I believe that there needs to be within the industry, recognition of the factors which determine the security of data – beyond the technological challenges. Hardware and software vendors, service providers, end-users and even governments themselves need to be alert to the impact this will have on the advancement of cloud computing – and hence to the democratisation of computing services which will be critical in the expansion of many businesses and economies.

Topic: Cloud

Alan Priestley

About Alan Priestley

I'm a multi-year Intel veteran, and currently hold the role of Strategic Marketing Director within EMEA.

My time with Intel began with a role supporting all the PC design accounts in the UK - back in the days when the i286 was the latest and greatest processor on the Intel roadmap. Since then, I've moved through various technical and product marketing roles, including being responsible for launching the Xeon processor product line in EMEA and managing the Itanium program office.

At present, I'm responsible for Intel's high-end server business and Cloud Marketing strategy in EMEA. This puts me at the hub of major developments in both server technology, and the cloud ecosystem it's powering. I'm now very involved with the Intel Cloud Builders programme.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is all true, and all good stuff. The only problem in my view with over-reliance on legislation -- and it surely has a role in data security -- is that it's like a bigger, more powerful version of an SLA. It can fix things after the fact but rarely gets involved before things go wrong.

    It's going to be tough for cloud providers to fix this. I think at the very least it will take time and a lot of successful case studies.
    Manek Dubash
  • I think the real issue here is that legislation has to evolve to comprehend the global nature of cloud computing and that we need to avoid businesses (small and large) being constrained in how they use cloud computing by lack of understanding of the issues, and risks, at hand. The EU recently held a public consultation on the issues relating to cloud computing and various industry groups have work on-going with the EU to map out the key issues that need to be addressed and to assess how current legislation will work in a cloud based compute environment.