Feeds

Whose data is it anyway?

Don't lose control - or get paranoid

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Hosted apps Losing control of one’s data is among the first concerns that arise when software as a service (SaaS) is mentioned. Fans may point out the merits of applications running in the cloud, but it’s not the software we worry about, it’s what happens, or might happen, to our data.

As one Reg reader put it in a recent survey:

“I'm sure that the services offered are reliable, but storing critical business data that should not see the light of day is the main concern here.”

More IT professionals are having to think about hosted services, however. Whether it’s considering SaaS to offload some of the IT burden, or dealing with pressure from the business to go down the cloud route, it is becoming harder for them to escape the discussion.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change.

So what do you need to consider when it comes to SaaS and data management?

The most obvious point is how much ownership and control of your data you retain. It should be straightforward enough, but feedback from Reg readers confirms that you need to be careful.

“[We had a] bad experience a with SaaS accounts service. We found we didn't own our own accounts info and couldn't get it back when the supplier hit problems.”

“A lot depends on the provider and the transparency and liabilities set forth in service contracts.”

Comments such as these highlight the need to review contracts thoroughly. Providers that primarily target mainstream business use, or have a division dedicated to business customers, will usually be very explicit about data ownership, but you still need to check. Contracts are fine for defining what parties are obliged to do but can often leave the door open to other activity. Is there anything to prevent the provider accumulating statistics on your system usage or the shape of your data and selling this on to third parties? Again, serious business-oriented providers are likely to address such concerns head on.

Another important question is where the provider is permitted to store your data. SaaS delivery knows no geographic boundaries. A provider can serve customers in Europe from a data centre in the USA, or vice versa. Global players might even distribute your data across several countries or move it around as they tune their operations.

Cloud purists say the whole point of SaaS is that you don’t have to worry about such things, but quite a few legislators and regulators would disagree. This may not be an issue, depending on your industry, geographic location and the type of data information you handle, but it’s a concern highlighted by some readers:

“A major problem for us is data protection legislation. We can't legally store some data outside Europe.”

“I have little or no control over what physical location (which country) my data is stored in. This may violate legislated controls as required by my own country.”

We also need to consider customers, suppliers and trading partners. If you are exchanging sensitive information with them, you may well be under certain obligations that are not immediately obvious. You might be a small organisation that flies under the radar of regulatory bodies, but how would big customers like it if you store copies of their confidential documents in places they would never do themselves because of security, privacy or regulatory fears? They might get really spooked if your provider was using a budget hosting facility in the developing world under a dodgy regime.

At the other end of scale, some Reg readers worry that their data might be abused by a superpower.

“I think we can all expect the USA to mine data at will if they decide to, having decided the data is stored on a device physically in their jurisdiction.”

“US SaaS providers are inherently untrustworthy as long as the Patriot Act is in place.”

Conspiracy theory? Excessive paranoia? Perhaps, but the recent stories about Amazon and Wikileaks have certainly sent the wrong signals in hinting at government interference with cloud providers.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change. You must therefore do your research before committing to any provider that will handle important or sensitive information on your behalf.

That said, we should keep a sense of perspective. Scary though it all sounds, the loose manner in which many organisations protect their data is even scarier. As some readers point out, your data could be safer in the hands of a service provider whose business is based on protecting it effectively:

“SaaS provider business models are built on their ability to provide 'weapons grade' security”.

“SaaS providers' entire business rides on the operation and availability of the systems. They know this [and invest] to ensure all expectations are met.”

The advice is therefore to determine what matters to you and do your homework before signing a SaaS service agreement. Get it wrong and you could be seriously exposed, but the right arrangement with the right provider could put you in a stronger position.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.