Sysadmins: Keep YOUR data away from NSA spooks
Hide cloudy bytes away with our data sovereignty checklist
Readers' corner During a meeting this week I had a question put to me that almost every client asks at some point: will our data remain our data even after we send it rocketing into the cloud?
I love this question simply because it means I’m making progress getting companies up to speed on their IT requirements. What set this encounter apart was the unexpected question that followed: “What about the sovereignty of our data?”
I have researched data sovereignty issues for my clients since the NSA's PRISM project first hit the news - and I think I’m about ready to answer this question. So let’s take a look at what I’ve learnt about data sovereignty.
It’s not about who owns your data
First, we need to establish this: It’s NOT about who owns your data. With few exceptions, the EULA (that lengthy end-user licence agreement) of every cloud service explicitly states that you retain ownership of all data.
The key lies in the word "sovereignty". Dictionary.com defines it as “supreme and independent power or authority in government as possessed or claimed by a state”. So when we refer to data sovereignty we are actually referring to who has supreme power and authority over your data.
Every business is subject to the laws of the city, state and country in which they practice. They are required to satisfy audit requirements for taxation authorities, and in locations where there is a relevant authority, for data security as well. This is part of the cost of doing business and we all understand that some of the data we provide these companies will be forwarded, when deemed necessary, to the relevant authorities for purposes they deem necessary.
Do you know to whom your cloud service provider is sovereign?
In almost every EULA created by a reputable company that I’ve ever read there is a section that looks something like the following:
Excerpt taken from the Microsoft Services Agreement on 9 July, 2013 (click to enlarge).
Section 5.3 is what we’re really interested in. It’s worded lightly enough to make you think that when Microsoft talks of offering up your data to “government entities” it means the government in the location in which you reside. Are you willing to bet your entire career or business guaranteeing that IT vendors do this? I am certainly not. When evaluating any cloud service provider we should ask these questions:
- Is there a government to which they are sovereign?
- Is this government a “Foreign Power”?
- Is our data now sovereign to a foreign power even though we specifically retain ownership of that data?
Know your privacy requirements and limit your liability
Every small and medium-sized enterprise that deals with data from the public is no doubt aware of the privacy requirements of their jurisdiction. Today’s clients are more privacy-aware than any group of consumers has ever been before. And thanks to our US brothers they are also the most litigious they’ve ever been. They know their rights and expect to have their privacy protected with more skill, forethought and panache than ever.
How can we protect our client’s data when it’s subject to the sovereignty of a foreign power? Especially if we believe the hype surrounding PRISM, when that foreign power has carte blanche access to our data without advising us it has done so, and gagging the cloud service provider from telling us?
I wish there was an easy answer to this question. Put simply, we cannot guarantee the ultimate level of privacy required by our clients when using a cloud service that is sovereign to a foreign power. I am not just referring to US-based cloud services here: I’m no more trusting of services from Asia or Europe.
In effect, this leaves my clients with two options:
1. Get a hybrid solution (totally unfeasible for 95 per cent of my clients because of cost); or
2. Don’t use a cloud service at all. This is also unfeasible for a large percentage of my clients. There are some things it just makes sense to use the cloud for.
When answering the question for my client, I told him what I tell every client: I cannot guarantee the safety of any data that is transferred anywhere around the world. I cannot guarantee the safety of any data that sits on a physical server. I have never provided a 100 per cent guarantee of anything and I never will. Any one of a trillion possibilities could occur and render null and void every security precaution we have taken.
Even so, there is good reason for me to worry. We have a duty of care to our clients to ensure that, as much as possible, our client’s data, and its sovereignty, is protected.
So how do we proceed then? Here are my recommendations for maintaining the sovereignty of data belonging to you and your clients.
1. Go local when and where you can. For some countries this will be a difficult proposition. But it’s getting easier as cloud services trickle down and your local vPosse will be able to help with recommendations.
2. When going global, maintain data sovereignty awareness. Sometimes, you just can’t go local. Read the EULA and do your homework.
3. Make your clients aware of potential issues with data sovereignty. Get liability waivers signed by the client. Even with the current absence of law, they should be enough to save your ass.
Data sovereignty is a loaded gun. It’s an issue just waiting for a test case. Protect yourself and your clients lest you be the one setting the precedents And for all our sakes, read the EULA. Ignorance is NEVER an acceptable excuse. ®
Reg reader Aaron Milne supplies IT system architecture, R&D, sysadmin and contract evaluation services to SMEs. He lives in Brisbane, Australia.
Sponsored: Network DDoS protection