Feeds

Whose data is it anyway?

Don't lose control - or get paranoid

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Hosted apps Losing control of one’s data is among the first concerns that arise when software as a service (SaaS) is mentioned. Fans may point out the merits of applications running in the cloud, but it’s not the software we worry about, it’s what happens, or might happen, to our data.

As one Reg reader put it in a recent survey:

“I'm sure that the services offered are reliable, but storing critical business data that should not see the light of day is the main concern here.”

More IT professionals are having to think about hosted services, however. Whether it’s considering SaaS to offload some of the IT burden, or dealing with pressure from the business to go down the cloud route, it is becoming harder for them to escape the discussion.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change.

So what do you need to consider when it comes to SaaS and data management?

The most obvious point is how much ownership and control of your data you retain. It should be straightforward enough, but feedback from Reg readers confirms that you need to be careful.

“[We had a] bad experience a with SaaS accounts service. We found we didn't own our own accounts info and couldn't get it back when the supplier hit problems.”

“A lot depends on the provider and the transparency and liabilities set forth in service contracts.”

Comments such as these highlight the need to review contracts thoroughly. Providers that primarily target mainstream business use, or have a division dedicated to business customers, will usually be very explicit about data ownership, but you still need to check. Contracts are fine for defining what parties are obliged to do but can often leave the door open to other activity. Is there anything to prevent the provider accumulating statistics on your system usage or the shape of your data and selling this on to third parties? Again, serious business-oriented providers are likely to address such concerns head on.

Another important question is where the provider is permitted to store your data. SaaS delivery knows no geographic boundaries. A provider can serve customers in Europe from a data centre in the USA, or vice versa. Global players might even distribute your data across several countries or move it around as they tune their operations.

Cloud purists say the whole point of SaaS is that you don’t have to worry about such things, but quite a few legislators and regulators would disagree. This may not be an issue, depending on your industry, geographic location and the type of data information you handle, but it’s a concern highlighted by some readers:

“A major problem for us is data protection legislation. We can't legally store some data outside Europe.”

“I have little or no control over what physical location (which country) my data is stored in. This may violate legislated controls as required by my own country.”

We also need to consider customers, suppliers and trading partners. If you are exchanging sensitive information with them, you may well be under certain obligations that are not immediately obvious. You might be a small organisation that flies under the radar of regulatory bodies, but how would big customers like it if you store copies of their confidential documents in places they would never do themselves because of security, privacy or regulatory fears? They might get really spooked if your provider was using a budget hosting facility in the developing world under a dodgy regime.

At the other end of scale, some Reg readers worry that their data might be abused by a superpower.

“I think we can all expect the USA to mine data at will if they decide to, having decided the data is stored on a device physically in their jurisdiction.”

“US SaaS providers are inherently untrustworthy as long as the Patriot Act is in place.”

Conspiracy theory? Excessive paranoia? Perhaps, but the recent stories about Amazon and Wikileaks have certainly sent the wrong signals in hinting at government interference with cloud providers.

The principle that you can outsource the storage of data but not the legal responsibility for controlling its use is not likely to change. You must therefore do your research before committing to any provider that will handle important or sensitive information on your behalf.

That said, we should keep a sense of perspective. Scary though it all sounds, the loose manner in which many organisations protect their data is even scarier. As some readers point out, your data could be safer in the hands of a service provider whose business is based on protecting it effectively:

“SaaS provider business models are built on their ability to provide 'weapons grade' security”.

“SaaS providers' entire business rides on the operation and availability of the systems. They know this [and invest] to ensure all expectations are met.”

The advice is therefore to determine what matters to you and do your homework before signing a SaaS service agreement. Get it wrong and you could be seriously exposed, but the right arrangement with the right provider could put you in a stronger position.

Build a business case: developing custom apps

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
China hopes home-grown OS will oust Microsoft
Doesn't much like Apple or Google, either
Sin COS to tan Windows? Chinese operating system to debut in autumn – report
Development alliance working on desktop, mobe software
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?