Do you know where your data is stored?

Cloud computing means that you don't care about where the data is stored, and that your data is secure. Never mind that some contracts might suggest that your data is backed up when it fact it isn't, at least it's being run by people who know what they're doing, and you don't have to go through the hassle of employing them.

But hold on! It's not quite as simple as that, as one of my PC Magazine colleagues used to be fond of saying. Security remains the top concern of CIOs as every survey shows and as I've remarked before. While many cloud providers are working hard and successfully to allay those fears, there's one phenomenon for which they can offer little reassurance: the US Government's Patriot Act.

When a provider sets up a datacentre and rents out the gubbins inside to all and sundry, there's usually a multiplicity of clauses explaining how secure the customers' data is. There will be fences, security systems, cameras, multiple levels of authentication, backup generators, batteries, windows-free walls, flood and earthquake defence systems -- I could go on.

None of these is defence enough against the US Government which, if it takes it into its head that there's data in a datacentre that it wants, can just walk into the facility and take some servers away. We know this because it happened.

A Swiss hosting provider with servers in Virginia, USA, suffered an incursion by the FBI who pulled the cables out of 62 servers in the provider's datacentre. It didn't matter if the servers had other people's data on them, nor whether all the servers were actually required for the investigation. The FBI was looking for three machines, identified by three IP addresses which the hoster, DigitalOne, had supplied. However, the Feds then turned up, just pulled out the plugs and took away all machines in the same enclosure as the three with the required IP addresses.

The FBI later returned the 59 boxes with different IP addresses but the damage was done. According to DigitalOne, it took three days to rebuild the machines, resulting in huge disruption to the business and to its customers. Speculation is that the servers were being shared by multiple customers.

What do we learn from this? That your data, if stored in the US, is one layer less safe from disruption than you thought, even if it's not shared, even if it is dedicated to you. It has only to be in the same enclosure to be at risk. OK, that risk is relatively low but it does mean that complete redundancy is not just nice to have. It's essential -- just in case.