Understanding the laws of the land

Many people have become fixated with issues of security in the cloud. For some it seems to be the first and last thing they think of when exploring the concept. But technological advancements, including those I discussed in my previous post about secure compute pools, are making the security question a less daunting one. Where factors are more out of the hands of the business are jurisdictional constraints about how data is stored.

A recent blog in the Back Office section of this site discussed the risks that you face if data is held in the US, where the Patriot Act allows gives law enforcement great freedom to ‘explore’ your data. In the example given, the FBI swooped on a data centre to seize data from a single account. The agents were unable to identify the relevant server and so took complete racks in the course of their investigation. As a result, quite a few business websites simply disappeared – and their data too. The message here is that your data, even if your business is carried out in Indonesia for example, is subject to these jurisdictions.

It can also be important to know which countries your cloud provider operates in. Even if your data does not leave your local country, if the provider is a US based company, US jurisdiction can apply to your data. This was highlighted recently when Microsoft was introducing a new cloud service and admitted that data stored in Europe could be accessed by US authorities.

In the UK and Europe we have legislation such as the Freedom of Information Act, EU Data Protection Directive or the banking-driven Basel II to consider. The US Sarbanes-Oxley Act from 2002 also imposes laws on the retention of data. It’s fair to say that the legislation surrounding use of the cloud is a topic for significant consideration (though in reality, it’s already the case for any data you hold that it is subject to numerous and complex standards and laws).

The type of data you store in the cloud can also have an impact on where it can be located and how it is managed – legislation normally relates to certain types of personal/medical data and where this can be stored. For commercial data it is down to to owner to understand the impact of where the data is stored and to assess the implication of legislation on their business.

Whether or not laws are changed, the issues need to be presented in a transparent fashion – and hence widely understood. Where many of us in the industry will be comfortable with a solid piece of technological advancement, we don’t have the legal know-how to navigate a legislative minefield.

I believe that there needs to be within the industry, recognition of the factors which determine the security of data – beyond the technological challenges. Hardware and software vendors, service providers, end-users and even governments themselves need to be alert to the impact this will have on the advancement of cloud computing – and hence to the democratisation of computing services which will be critical in the expansion of many businesses and economies.