What nationality is the cloud? This question is getting harder to answer due to differing laws related to who owns data and who has access to it. However, technology could provide the best answer for global businesses to navigate the issues and to securely manage data in the cloud.
The great thing about the cloud, we were promised, was that we didn’t need to know where the data actually was stored; we just knew it would be available. But for corporate data, it’s getting more important to know where “home” is and to be able to respond to regional regulations and requirements. For example,in a recent court ruling, a U.S. company claimed the right to access customer data even when the data is stored offshore, sending up alarms in the European host country.
Many years ago, cloud providers (such as Microsoft and Amazon) started putting their server farms in locations around the world. Instead of the cloud provider reaching halfway across the planet and sending the data back and forth on a congested network, the data would be right in your own country, or somewhere off the beaten path that was less congested. Data could be moved around, or duplicated, depending on how many people wanted access to it, and where they were located.
But as time has gone on, countries began to make claims that data stored within their borders – even if it’s in the cloud – are subject to the country’s laws, such as Europe’s Data Protection Compliance regulations. And now some countries are upping the ante, saying that data owned by any company based in that country, or even any company doing business in that country, are also subject to its laws.
In addition, cloud providers face the complexity of an increasing number of customers who insist they don’t want their data stored in Country A, or they only want their data stored in Country B. In the post-Snowden era, these customers want to protect their data from being seized or spied upon by other countries or in other ways make the data subject to country-specific laws.
The situation in the UK makes the complexity of cross-border data management clear, as described by Rick Powles, senior vice president of sales in EMEA for Druva. “You could have a situation where a chain of retailers has its head office in London; it could have another 12 offices in European Union [EU] countries, where the retail company has retail outlets,” says Powles. “All those retail outlets collect data, which they in turn send to London for processing and storage. With current legislation, the UK office would be responsible and the primary point of contact should any issues arise.”
“However, the individual country retail outlets are still legally bound to be able to manage and process their local data in compliance with the laws and legislation of that country,” says Powles. “It’s quite possible – highly likely – that those local laws will differ from those of the U.K. And they will be different from country to country. You can already see how difficult and complex this is from the business point of view.”
What’s making things even more fraught is that countries are starting to claim control over data not just based on where the data itself is located, but based on where the company is located, or even predicated on a company doing business in the country. For example, Microsoft is currently fighting the U.S. government regarding an unnamed government agency claiming that it is entitled to have access to Microsoft user data that is actually stored in Ireland, simply because Microsoft is a U.S. company. Microsoft is fighting this through a series of legal maneuvers and appeals, not because it’s particularly defending the user in question but because of the legal precedent involved. Recognizing the potential ramifications, a number of other vendors, such as Apple, AT&T, Cisco, and Verizon – as well as the nonprofit Electronic Frontier Foundation – are also filing briefs in connection with the case. The EU is working on similar laws governing any company wanting to do business in the EU, Powles says.
So at this point, what’s a company to do to protect itself, protect its customers’ data, and, incidentally, stay out of jail? An effort is underway in the European Union to have at least a common set of data laws there, rather than individual laws for each country, Powles says, which would simplify the process. “That would be a huge leap forward compared with where we’ve been in the past,” he says. In the best case, the industry will end up with some common set of regulations, with which most vendors generally understand and can comply,” Powles says.
Meanwhile, it does not mean organizations cannot embrace the cloud. It does mean that part of the conversation between an organization engaged and its vendors who store data online (including Druva) is a one-on-one discussion about where data can and cannot be stored, and which controls are in place specific to regulations and compliance issues that pertain to the particular organization.
At the very minimum, businesses using a cloud storage solution need to scrutinize where data is stored for every user and how the cloud vendor stores their data, such as the type of file encryption used. Not all encryption is created equal, and there are varying levels of security and privacy of encryption technologies used by cloud providers. Druva’s approach to encryption using the two factor encryption model is a “‘zero knowledge” approach that offers protection of global enterprise data from breach and prohibits vendor access to your corporate data at any time — a level of security on par with a private cloud.
In addition, cloud storage providers like AWS are responding to the need for regional data regulation by opening more local hubs. Amazon Web Services (AWS) recently opened an office in Germany in part to help global businesses abide by Germany’s rigorous data regulations and EU Data Protection laws (which pleases Druva customers in Europe). This assures businesses that content stays within the EU as regulations require.
The issues of data sovereignty are thorny, and they get to the very nature of consumer privacy and national sovereignty. However, technologies and controls are rapidly evolving to keep pace with the shift to cloud transactions, even across borders. Being aware of the issues and the technology solutions helps your company navigate global growth in the era of cloud.