Friday, April 17, 2009 9:54 AM
Cloud computing holds great promise to the next evolution of business and consumer computing. Amazon has been in the cloud computing game for a while now. In addition to their Azure platform for hosting cloud applications, Microsoft also has online services for pictures, blogs, videos, and files. Google has similar software-as-a-service offerings as well. As other companies bring their offerings to the market, we’ll see more and more options to store our data and files “in the cloud”.
But in our own technology industry bubble we sometimes forget that our industry lives in a world made up of countries, borders, and varying laws carried out by those governments. While the term of “cloud” may give us the image of data floating in the sky high above us, the reality is that its actually stored on hard drives in servers that reside on land governed by some authority.
This adds an interesting slant to planning for hosting your application and/or your data with a cloud service: What are the privacy/security laws governing where your data will reside? Just because a company offers a privacy policy or offers guarantees on securing your data, those may be mute when compared to laws that the service provider must abide by.
Consider Lakehead University in Thunder Bay, Ontario. Lakehead turned to Google as a low cost solution to their aging computer system last year. From a cost savings it was great, but there was one major trade off:
The faculty was told not to transmit any private data over the system, including student marks.
The reason? Because the data would reside on Google’s servers in the USA. And because they were hosted there, they could be viewed by the US Government under the Patriot Act. From the article:
Security experts say many firms are only just starting to realize the risks they assume by embracing Web-based collaborative tools hosted by a U.S. company, a problem even more acute in Canada where federal privacy rules are at odds with U.S. security measures.
Blogger Richard Watson suggests that customers in the European Union should also be cautious about utilizing cloud or saas options in the US even with the Safe Harbor arrangement. From his post:
One universal concern about hosting data in external clouds is data privacy. Heretofore, concerns of EU companies included the fact that storing personal data in "third countries" violated the EU's Data Protection Act. Of far more of concern now is that local data regulations in the provider's jurisdiction (especially the US Patriot Act), could be prioritized over international Safe Harbor arrangements designed to broker the local and guest privacy regulations.
There’s also new and perspective laws being offered, approved, and rejected within governments every day. Consider the new Cybersecurity Bill being proposed in the United States? From a Center for Democracy and Technology headline:
A cybersecurity bill introduced today in the Senate would give the federal government extraordinary power over private sector Internet services, applications and software. The Cybersecurity Act of 2009 would, for example, give the President unfettered power to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network on national security grounds. The bill would grant the Commerce Department the ability to override all privacy laws to access any information about Internet usage in connection with a new role in tracking cybersecurity threats. The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the government unprecedented control over computer software and Internet services, threatening innovation, freedom and privacy.
We need to be thinking outside of our own industry box when considering our system’s data, where its being stored, and even where its being transferred through. We also need to be aware of what is going on politically within the countries our service providers may reside in so that we understand all aspects of entering a service agreement. Whether we like it or not, the cloud computing revolution will require us to be more aware of the world outside of our system domains.
D