Whose data is it anyway?

Hosted apps Losing control of one’s data is among the first concerns that arise when software as a service (SaaS) is mentioned. Fans may point out the merits of applications running in the cloud, but it’s not the software we worry about, it’s what happens, or might happen, to our data.

As one Reg reader put it in a recent survey:

“I'm sure that the services offered are reliable, but storing critical business data that should not see the light of day is the main concern here.”

More IT professionals are having to think about hosted services, however. Whether it’s considering SaaS to offload some of the IT burden, or dealing with pressure from the business to go down the cloud route, it is becoming harder for them to escape the discussion.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change.

So what do you need to consider when it comes to SaaS and data management?

The most obvious point is how much ownership and control of your data you retain. It should be straightforward enough, but feedback from Reg readers confirms that you need to be careful.

“[We had a] bad experience a with SaaS accounts service. We found we didn't own our own accounts info and couldn't get it back when the supplier hit problems.”

“A lot depends on the provider and the transparency and liabilities set forth in service contracts.”

Comments such as these highlight the need to review contracts thoroughly. Providers that primarily target mainstream business use, or have a division dedicated to business customers, will usually be very explicit about data ownership, but you still need to check. Contracts are fine for defining what parties are obliged to do but can often leave the door open to other activity. Is there anything to prevent the provider accumulating statistics on your system usage or the shape of your data and selling this on to third parties? Again, serious business-oriented providers are likely to address such concerns head on.

Another important question is where the provider is permitted to store your data. SaaS delivery knows no geographic boundaries. A provider can serve customers in Europe from a data centre in the USA, or vice versa. Global players might even distribute your data across several countries or move it around as they tune their operations.

Cloud purists say the whole point of SaaS is that you don’t have to worry about such things, but quite a few legislators and regulators would disagree. This may not be an issue, depending on your industry, geographic location and the type of data information you handle, but it’s a concern highlighted by some readers:

“A major problem for us is data protection legislation. We can't legally store some data outside Europe.”

“I have little or no control over what physical location (which country) my data is stored in. This may violate legislated controls as required by my own country.”

We also need to consider customers, suppliers and trading partners. If you are exchanging sensitive information with them, you may well be under certain obligations that are not immediately obvious. You might be a small organisation that flies under the radar of regulatory bodies, but how would big customers like it if you store copies of their confidential documents in places they would never do themselves because of security, privacy or regulatory fears? They might get really spooked if your provider was using a budget hosting facility in the developing world under a dodgy regime.

At the other end of scale, some Reg readers worry that their data might be abused by a superpower.

“I think we can all expect the USA to mine data at will if they decide to, having decided the data is stored on a device physically in their jurisdiction.”

“US SaaS providers are inherently untrustworthy as long as the Patriot Act is in place.”

Conspiracy theory? Excessive paranoia? Perhaps, but the recent stories about Amazon and Wikileaks have certainly sent the wrong signals in hinting at government interference with cloud providers.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change. You must therefore do your research before committing to any provider that will handle important or sensitive information on your behalf.

That said, we should keep a sense of perspective. Scary though it all sounds, the loose manner in which many organisations protect their data is even scarier. As some readers point out, your data could be safer in the hands of a service provider whose business is based on protecting it effectively:

“SaaS provider business models are built on their ability to provide 'weapons grade' security”.

“SaaS providers' entire business rides on the operation and availability of the systems. They know this [and invest] to ensure all expectations are met.”

The advice is therefore to determine what matters to you and do your homework before signing a SaaS service agreement. Get it wrong and you could be seriously exposed, but the right arrangement with the right provider could put you in a stronger position.