Feeds

Whose data is it anyway?

Don't lose control - or get paranoid

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Hosted apps Losing control of one’s data is among the first concerns that arise when software as a service (SaaS) is mentioned. Fans may point out the merits of applications running in the cloud, but it’s not the software we worry about, it’s what happens, or might happen, to our data.

As one Reg reader put it in a recent survey:

“I'm sure that the services offered are reliable, but storing critical business data that should not see the light of day is the main concern here.”

More IT professionals are having to think about hosted services, however. Whether it’s considering SaaS to offload some of the IT burden, or dealing with pressure from the business to go down the cloud route, it is becoming harder for them to escape the discussion.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change.

So what do you need to consider when it comes to SaaS and data management?

The most obvious point is how much ownership and control of your data you retain. It should be straightforward enough, but feedback from Reg readers confirms that you need to be careful.

“[We had a] bad experience a with SaaS accounts service. We found we didn't own our own accounts info and couldn't get it back when the supplier hit problems.”

“A lot depends on the provider and the transparency and liabilities set forth in service contracts.”

Comments such as these highlight the need to review contracts thoroughly. Providers that primarily target mainstream business use, or have a division dedicated to business customers, will usually be very explicit about data ownership, but you still need to check. Contracts are fine for defining what parties are obliged to do but can often leave the door open to other activity. Is there anything to prevent the provider accumulating statistics on your system usage or the shape of your data and selling this on to third parties? Again, serious business-oriented providers are likely to address such concerns head on.

Another important question is where the provider is permitted to store your data. SaaS delivery knows no geographic boundaries. A provider can serve customers in Europe from a data centre in the USA, or vice versa. Global players might even distribute your data across several countries or move it around as they tune their operations.

Cloud purists say the whole point of SaaS is that you don’t have to worry about such things, but quite a few legislators and regulators would disagree. This may not be an issue, depending on your industry, geographic location and the type of data information you handle, but it’s a concern highlighted by some readers:

“A major problem for us is data protection legislation. We can't legally store some data outside Europe.”

“I have little or no control over what physical location (which country) my data is stored in. This may violate legislated controls as required by my own country.”

We also need to consider customers, suppliers and trading partners. If you are exchanging sensitive information with them, you may well be under certain obligations that are not immediately obvious. You might be a small organisation that flies under the radar of regulatory bodies, but how would big customers like it if you store copies of their confidential documents in places they would never do themselves because of security, privacy or regulatory fears? They might get really spooked if your provider was using a budget hosting facility in the developing world under a dodgy regime.

At the other end of scale, some Reg readers worry that their data might be abused by a superpower.

“I think we can all expect the USA to mine data at will if they decide to, having decided the data is stored on a device physically in their jurisdiction.”

“US SaaS providers are inherently untrustworthy as long as the Patriot Act is in place.”

Conspiracy theory? Excessive paranoia? Perhaps, but the recent stories about Amazon and Wikileaks have certainly sent the wrong signals in hinting at government interference with cloud providers.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change. You must therefore do your research before committing to any provider that will handle important or sensitive information on your behalf.

That said, we should keep a sense of perspective. Scary though it all sounds, the loose manner in which many organisations protect their data is even scarier. As some readers point out, your data could be safer in the hands of a service provider whose business is based on protecting it effectively:

“SaaS provider business models are built on their ability to provide 'weapons grade' security”.

“SaaS providers' entire business rides on the operation and availability of the systems. They know this [and invest] to ensure all expectations are met.”

The advice is therefore to determine what matters to you and do your homework before signing a SaaS service agreement. Get it wrong and you could be seriously exposed, but the right arrangement with the right provider could put you in a stronger position.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?