30th September 2011

Admist all the hype surrounding cloud security, the topic of data protection can sometimes struggle to get the deliberation it deserves. However, as David Terrar explains, the issues relating to global governance and in particular, the Patriot Act, are ones that deserve far more attention from the cloud industry, and appear to have no near-term resolution in sight.

Security can be an emotional rather than a logical issue in the Cloud. At a recent Cloud Accounting event I chaired a panel aimed at debunking the myths of Cloud. All of the panellists cited security as the myth that annoyed them the most.

Cloud providers can invest in their infrastructure to handle backup, failover, continuous operation, hardware firewalls, hacker protection, physical security of the data centre and log in security measures and then share the cost over their community of users. It means that a cloud solution has the potential to be much more secure than the typical company's in house security, on premise applications and backup procedures.

For the average SME the comparison can be significant. Ironically, at that panel session I mentioned earlier, even though we started with cloud security issues being a myth, over 75% of the question time was spent on security!

One aspect of this topic definitely needs more clarity is data security, and in particular because of the Patriot Act and the cultural divide between Europe and the USA over how we handle personal data. In the EU we're all about regulation and compliance protecting the rights of the individual, so in the UK we must conform to Data Protection Act 1998. In the USA things are different. Although there are vertical regulations for things like medical records, the attitude to data is more governed by market forces along with the heightened attention on security issues rising out of 9/11 ten years ago.

Just six weeks after those attacks "The Patriot Act" or to give its full title "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" came in to being. It dramatically reduced restrictions on the various US law enforcement agencies in their ability to search telephone, e-mail communications, medical, financial, and other records including foreign intelligence gathering within the United States. Search warrants can be executed without immediately informing their targets. A recent New York Magazine feature highlights that the act has been used 1,618 times investigating Drug offences, 122 times for fraud, but only 15 times for the terrorism that it was intended for.

US companies who host and store data can comply with a "Safe Harbor" agreement between the USA and the EU, which is intended to provide the data protection required by our laws. However, back in June at the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that data stored in their Cloud, regardless of where it is in the world, is not protected from the Patriot Act. Earlier this month Google also confirmed to Germany's WirtschaftsWoche that their servers in Europe have no protection from it. That means that UK and European Cloud companies can spread some FUD (fear uncertainty and doubt) and get a short term advantage over their US competitors. I've already heard of one UK government project being shelved 3 months into development on a well know US PaaS, once this issue came to light.

I've spoke to European Cloud providers who are using US providers as part of their cloud supply chain, and they tell me they are making sure their data is stored only in Europe, and that their contract is with a European subsidiary rather than the US parent. Salesforce have recently announced their Data Residency Option (DRO) in part to address this kind of issue.

With the current political climate in the US I can't see the Patriot Act changing any time soon. Here is a situation where legislation hasn't caught up with the state of current technology and that will restrict the choice for vendors and customers. This highlights the need for Cloud providers to be transparent about the supply chain that underpins their service, and for the industry to provide clarity on the real legal situation.

As a buyer you need to go in with your eyes open and check how and where your data is stored, consider the data protection implications and decide your own position on The Patriot Act. This is a big topic that, up to now, hasn't got the attention it deserves.

David Terrar heads up D2C, a consulting firm which provides business and social media consulting and cloud-based solutions for content, collaboration, web publishing, online accounting and ERP. In addition he is Executive Director of ITBrix LLC, the software company that creates WordFrame Integra, the web publishing and collaboration platform, and PageTypes their CMS. He is Chair of the UK's Intellect Software as a Service Group, a director of EuroCloud UK and on the governance board of the Cloud Industry Forum. For more articles on cloud computing and social media from David, visit his blog here.

Related stories: IT security: Still a tangible issue?

Tags: cloud security | public sector cloud