Feeds

Data ownership becomes fuzzy in the cloud

Stand up for your rights

High performance access to file storage

If Facebook has taught us nothing else, it is that people can be cavalier about protecting their data.

The social networking giant has forced consumers to think differently about their data: have I just handed over the rights to the photos of my kids? Am I going to appear on my friends' pages endorsing fashion leggings thanks to a throwaway remark about “legging it” to catch a bus?

In the same way, cloud computing forces companies to re-evaluate what data ownership means.

After all, when it comes to migrating critical company data to the cloud, no one in their right mind would sign a contract that gave away ownership of that data, would they?

Turns out, the question is not so simple to answer. Reg reader “Jerren” gets to the crux of the matter in this comment:

“More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why, you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you lose your servers (easy to replace) and the SANs (a little harder to replace, and will take a while), but your backups as well!

“Possession is 9/10 of the law. In the US the hosting provider owns the servers, the storage, and the backups. In many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.”

In March 2011, the UK’s National Computing Centre published research highlighting data control issues as a serious obstacle to cloud adoption in the UK.

No surrender

Although respondents were keen on the cloud concept, surrendering control of data ranked as their biggest concern. A lack of common security standards and portability of data were also highlighted.

Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, says the problem is that although cloud is increasingly mainstream (defined as a technology one’s parents start to enquire about), it is still immature, especially on the non-technical front.

In the scenario outlined by Jerren, Jensen says it is not at all clear what a company could do to manage or mitigate the risk.

Beware bombs

He describes it as “an absolute legal minefield to which there are no clear answers”, and thinks that in some companies the lawyers could end up in charge of the IT policy.

“If the server is an off-premise private cloud then any data will be completely independent of any other company’s data at the application level,” he says.

“But they could be stored on the same disk subsystem – how the data was seized might define whether or not data from two or more companies was taken.

“There are different implications based on the application or solution itself; how its data is architected, separated and managed; how the storage solution is configured to support it, and at what level a data seize would occur (application export, application database level or storage level); whether the data seize would render the application unusable; what country the data is located in and which jurisdiction applies."

For Conor Callanan, chief executive of UK reseller CoreGB, jurisdiction is the key to solving the problem. He recommends keeping data in the EU.

“In the US, they can walk in and grab the servers

“The EU and the US have very different laws about access to data,” he says. “In the EU, law enforcement has to make a request for data, which the hosting company downloads and hands over to the authorities.

“In the US, they can walk in and grab the servers. Safe Harbor agreements don’t come in to it. Store your data in Canada, Latin America, anywhere you like, but not in the States.”

If a company cannot accept standard liability waivers, or needs forensic examination rights, for example, the requirements could quickly go beyond those a hosting company is prepared or able to accommodate on a public cloud system.

When does it get to a point where it no longer makes sense to move into the cloud?

“In the end, the decision factors for any organisation wanting to go into the cloud will need to include these considerations, and it may well be that it doesn’t make financial, legal or compliancy sense to move away from locally managed infrastructure,” Jensen says.

Moment of truth

The cut-off point for customisation is where the costs approach those of running a private cloud. Once you get there, why switch to a cloud service at all?

A private cloud can be cheaper, simply by virtue of geography. But there are considerations that go beyond cost savings: companies still move from capital expenditure to operational expenditure, and they don’t have the hassle of managing the data centre themselves.

As Callanan says, “People have been doing this for years, they just haven’t called it cloud.” ®

High performance access to file storage

More from The Register

next story
Seagate brings out 6TB HDD, did not need NO STEENKIN' SHINGLES
Or helium filling either, according to reports
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
USA opposes 'Schengen cloud' Eurocentric routing plan
All routes should transit America, apparently
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.