Kevin Phillips outlines the delicate balance for those wanting to realise the benefits of cloud computing but needing to comply with local, national and international law.
Like the wheel or the printing press, cloud computing is more exciting because of what it enables, rather than for its own sake. Much has already been written about what the cloud allows us to do: from launching new economy businesses such as Netflix and Airbnb, to saving money through processing elasticity, to gaining access to new services and capabilities.
And, despite security still being the number one concern when implementing cloud, we’ve recently been very starkly reminded how cloud-based infrastructure can be more secure than on-premise, thanks to the WannaCry ransomware attack and the unrelated catastrophic systems failure at British Airways. Both of these affected on-premise data.
For us, data security is just one of the many issues we deal with in running our varied businesses. A cloud provider’s business is data and its protection, so they should be better at it than you or me.
Too often we forget that, although the name sounds fluffy and intangible, cloud computing is based on some very real infrastructure, housed in complex, highly secure, and some might say, black box-esque, buildings very possibly located in a different country to you, your customers, and even your cloud provider.
This is where the red flag goes up. Not because sensitive private and personal data is being moved offshore though. Frankly, in terms of access, thanks to increasing bandwidth it is irrelevant whether your data is housed next door or on the opposite side of the planet.
Rather, a perfect storm is brewing as legislation attempts to catch up with technology and the globalisation of digital communications. In the balance is the protection of private and personal data, weighed up against a growing reliance on data, especially encrypted information, to predict and prevent acts of terror, and arrest those responsible.
The cloud spreads data around the globe, creating concerns around the protection of personal information, and as a result, a number of countries are legislating around this issue.
In South African, for example, companies are required to comply with the newly legislated Protection of Personal Information (POPI) Act. This law brings us in line with global best practice when it comes to how private data is collected, processed, stored and shared by setting the conditions for how companies can legally handle information. The new law prohibits businesses from transferring personal information to a third party in a foreign country unless they get consent at the time of gathering the information. So far, so good, if a bit of an administrative headache, especially in a time of such rapid change.
However, in response to the recent atrocities and the use made of internet communications by terrorist organisations, there are moves afoot in the US to legislate that data stored by an American company — wherever it is stored in the world — is accessible, unencrypted, by US law enforcement. Or the discussion of reciprocal agreements that allow countries to gain access to information stored in each other’s geographies, or indeed, the newly passed “Snooper’s Charter” in the UK, which mandates onerous and illogical demands for hosting providers to leave backdoors in their encryption for government access. All of these step on or over the line of privacy of one’s data.
Hosting companies that aren’t US or UK organisations will simply move their operations to other countries where these agreements are not in place. But the reality is that the hosting giants are US companies, not to mention that the country contains much of the world’s internet infrastructure.
So where does this leave businesses around the world, wanting to realise the benefits of cloud computing, but also needing to comply with locally legislated laws? Are they and their customers simply excluded from the benefits, growth and innovation opportunities presented by the cloud? What is certain is that they will be looking very closely at the implications of their cloud decisions, and where and how their data is stored.
To be sure, the fight against terrorism is vital, but let's not also, in the process, destroy the cloud’s silver lining.