Feeds

Whose data is it anyway?

Don't lose control - or get paranoid

  • alert
  • submit to reddit

The essential guide to IT transformation

Hosted apps Losing control of one’s data is among the first concerns that arise when software as a service (SaaS) is mentioned. Fans may point out the merits of applications running in the cloud, but it’s not the software we worry about, it’s what happens, or might happen, to our data.

As one Reg reader put it in a recent survey:

“I'm sure that the services offered are reliable, but storing critical business data that should not see the light of day is the main concern here.”

More IT professionals are having to think about hosted services, however. Whether it’s considering SaaS to offload some of the IT burden, or dealing with pressure from the business to go down the cloud route, it is becoming harder for them to escape the discussion.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change.

So what do you need to consider when it comes to SaaS and data management?

The most obvious point is how much ownership and control of your data you retain. It should be straightforward enough, but feedback from Reg readers confirms that you need to be careful.

“[We had a] bad experience a with SaaS accounts service. We found we didn't own our own accounts info and couldn't get it back when the supplier hit problems.”

“A lot depends on the provider and the transparency and liabilities set forth in service contracts.”

Comments such as these highlight the need to review contracts thoroughly. Providers that primarily target mainstream business use, or have a division dedicated to business customers, will usually be very explicit about data ownership, but you still need to check. Contracts are fine for defining what parties are obliged to do but can often leave the door open to other activity. Is there anything to prevent the provider accumulating statistics on your system usage or the shape of your data and selling this on to third parties? Again, serious business-oriented providers are likely to address such concerns head on.

Another important question is where the provider is permitted to store your data. SaaS delivery knows no geographic boundaries. A provider can serve customers in Europe from a data centre in the USA, or vice versa. Global players might even distribute your data across several countries or move it around as they tune their operations.

Cloud purists say the whole point of SaaS is that you don’t have to worry about such things, but quite a few legislators and regulators would disagree. This may not be an issue, depending on your industry, geographic location and the type of data information you handle, but it’s a concern highlighted by some readers:

“A major problem for us is data protection legislation. We can't legally store some data outside Europe.”

“I have little or no control over what physical location (which country) my data is stored in. This may violate legislated controls as required by my own country.”

We also need to consider customers, suppliers and trading partners. If you are exchanging sensitive information with them, you may well be under certain obligations that are not immediately obvious. You might be a small organisation that flies under the radar of regulatory bodies, but how would big customers like it if you store copies of their confidential documents in places they would never do themselves because of security, privacy or regulatory fears? They might get really spooked if your provider was using a budget hosting facility in the developing world under a dodgy regime.

At the other end of scale, some Reg readers worry that their data might be abused by a superpower.

“I think we can all expect the USA to mine data at will if they decide to, having decided the data is stored on a device physically in their jurisdiction.”

“US SaaS providers are inherently untrustworthy as long as the Patriot Act is in place.”

Conspiracy theory? Excessive paranoia? Perhaps, but the recent stories about Amazon and Wikileaks have certainly sent the wrong signals in hinting at government interference with cloud providers.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change. You must therefore do your research before committing to any provider that will handle important or sensitive information on your behalf.

That said, we should keep a sense of perspective. Scary though it all sounds, the loose manner in which many organisations protect their data is even scarier. As some readers point out, your data could be safer in the hands of a service provider whose business is based on protecting it effectively:

“SaaS provider business models are built on their ability to provide 'weapons grade' security”.

“SaaS providers' entire business rides on the operation and availability of the systems. They know this [and invest] to ensure all expectations are met.”

The advice is therefore to determine what matters to you and do your homework before signing a SaaS service agreement. Get it wrong and you could be seriously exposed, but the right arrangement with the right provider could put you in a stronger position.

Boost IT visibility and business value

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.