Feeds

Data ownership becomes fuzzy in the cloud

Stand up for your rights

Internet Security Threat Report 2014

If Facebook has taught us nothing else, it is that people can be cavalier about protecting their data.

The social networking giant has forced consumers to think differently about their data: have I just handed over the rights to the photos of my kids? Am I going to appear on my friends' pages endorsing fashion leggings thanks to a throwaway remark about “legging it” to catch a bus?

In the same way, cloud computing forces companies to re-evaluate what data ownership means.

After all, when it comes to migrating critical company data to the cloud, no one in their right mind would sign a contract that gave away ownership of that data, would they?

Turns out, the question is not so simple to answer. Reg reader “Jerren” gets to the crux of the matter in this comment:

“More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why, you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you lose your servers (easy to replace) and the SANs (a little harder to replace, and will take a while), but your backups as well!

“Possession is 9/10 of the law. In the US the hosting provider owns the servers, the storage, and the backups. In many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.”

In March 2011, the UK’s National Computing Centre published research highlighting data control issues as a serious obstacle to cloud adoption in the UK.

No surrender

Although respondents were keen on the cloud concept, surrendering control of data ranked as their biggest concern. A lack of common security standards and portability of data were also highlighted.

Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, says the problem is that although cloud is increasingly mainstream (defined as a technology one’s parents start to enquire about), it is still immature, especially on the non-technical front.

In the scenario outlined by Jerren, Jensen says it is not at all clear what a company could do to manage or mitigate the risk.

Beware bombs

He describes it as “an absolute legal minefield to which there are no clear answers”, and thinks that in some companies the lawyers could end up in charge of the IT policy.

“If the server is an off-premise private cloud then any data will be completely independent of any other company’s data at the application level,” he says.

“But they could be stored on the same disk subsystem – how the data was seized might define whether or not data from two or more companies was taken.

“There are different implications based on the application or solution itself; how its data is architected, separated and managed; how the storage solution is configured to support it, and at what level a data seize would occur (application export, application database level or storage level); whether the data seize would render the application unusable; what country the data is located in and which jurisdiction applies."

For Conor Callanan, chief executive of UK reseller CoreGB, jurisdiction is the key to solving the problem. He recommends keeping data in the EU.

“In the US, they can walk in and grab the servers

“The EU and the US have very different laws about access to data,” he says. “In the EU, law enforcement has to make a request for data, which the hosting company downloads and hands over to the authorities.

“In the US, they can walk in and grab the servers. Safe Harbor agreements don’t come in to it. Store your data in Canada, Latin America, anywhere you like, but not in the States.”

If a company cannot accept standard liability waivers, or needs forensic examination rights, for example, the requirements could quickly go beyond those a hosting company is prepared or able to accommodate on a public cloud system.

When does it get to a point where it no longer makes sense to move into the cloud?

“In the end, the decision factors for any organisation wanting to go into the cloud will need to include these considerations, and it may well be that it doesn’t make financial, legal or compliancy sense to move away from locally managed infrastructure,” Jensen says.

Moment of truth

The cut-off point for customisation is where the costs approach those of running a private cloud. Once you get there, why switch to a cloud service at all?

A private cloud can be cheaper, simply by virtue of geography. But there are considerations that go beyond cost savings: companies still move from capital expenditure to operational expenditure, and they don’t have the hassle of managing the data centre themselves.

As Callanan says, “People have been doing this for years, they just haven’t called it cloud.” ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.