Feeds

Data ownership becomes fuzzy in the cloud

Stand up for your rights

Designing a Defense for Mobile Applications

If Facebook has taught us nothing else, it is that people can be cavalier about protecting their data.

The social networking giant has forced consumers to think differently about their data: have I just handed over the rights to the photos of my kids? Am I going to appear on my friends' pages endorsing fashion leggings thanks to a throwaway remark about “legging it” to catch a bus?

In the same way, cloud computing forces companies to re-evaluate what data ownership means.

After all, when it comes to migrating critical company data to the cloud, no one in their right mind would sign a contract that gave away ownership of that data, would they?

Turns out, the question is not so simple to answer. Reg reader “Jerren” gets to the crux of the matter in this comment:

“More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why, you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you lose your servers (easy to replace) and the SANs (a little harder to replace, and will take a while), but your backups as well!

“Possession is 9/10 of the law. In the US the hosting provider owns the servers, the storage, and the backups. In many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.”

In March 2011, the UK’s National Computing Centre published research highlighting data control issues as a serious obstacle to cloud adoption in the UK.

No surrender

Although respondents were keen on the cloud concept, surrendering control of data ranked as their biggest concern. A lack of common security standards and portability of data were also highlighted.

Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, says the problem is that although cloud is increasingly mainstream (defined as a technology one’s parents start to enquire about), it is still immature, especially on the non-technical front.

In the scenario outlined by Jerren, Jensen says it is not at all clear what a company could do to manage or mitigate the risk.

Beware bombs

He describes it as “an absolute legal minefield to which there are no clear answers”, and thinks that in some companies the lawyers could end up in charge of the IT policy.

“If the server is an off-premise private cloud then any data will be completely independent of any other company’s data at the application level,” he says.

“But they could be stored on the same disk subsystem – how the data was seized might define whether or not data from two or more companies was taken.

“There are different implications based on the application or solution itself; how its data is architected, separated and managed; how the storage solution is configured to support it, and at what level a data seize would occur (application export, application database level or storage level); whether the data seize would render the application unusable; what country the data is located in and which jurisdiction applies."

For Conor Callanan, chief executive of UK reseller CoreGB, jurisdiction is the key to solving the problem. He recommends keeping data in the EU.

“In the US, they can walk in and grab the servers

“The EU and the US have very different laws about access to data,” he says. “In the EU, law enforcement has to make a request for data, which the hosting company downloads and hands over to the authorities.

“In the US, they can walk in and grab the servers. Safe Harbor agreements don’t come in to it. Store your data in Canada, Latin America, anywhere you like, but not in the States.”

If a company cannot accept standard liability waivers, or needs forensic examination rights, for example, the requirements could quickly go beyond those a hosting company is prepared or able to accommodate on a public cloud system.

When does it get to a point where it no longer makes sense to move into the cloud?

“In the end, the decision factors for any organisation wanting to go into the cloud will need to include these considerations, and it may well be that it doesn’t make financial, legal or compliancy sense to move away from locally managed infrastructure,” Jensen says.

Moment of truth

The cut-off point for customisation is where the costs approach those of running a private cloud. Once you get there, why switch to a cloud service at all?

A private cloud can be cheaper, simply by virtue of geography. But there are considerations that go beyond cost savings: companies still move from capital expenditure to operational expenditure, and they don’t have the hassle of managing the data centre themselves.

As Callanan says, “People have been doing this for years, they just haven’t called it cloud.” ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Attack of the clones: Oracle's latest Red Hat Linux lookalike arrives
Oracle's Linux boss says Larry's Linux isn't just for Oracle apps anymore
THUD! WD plonks down SIX TERABYTE 'consumer NAS' fatboy
Now that's a LOT of porn or pirated movies. Or, you know, other consumer stuff
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
FLAPE – the next BIG THING in storage
Find cold data with flash, transmit it from tape
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.