Sysadmins: Keep YOUR data away from NSA spooks

Hide cloudy bytes away with our data sovereignty checklist

Top three mobile application threats

Readers' corner During a meeting this week I had a question put to me that almost every client asks at some point: will our data remain our data even after we send it rocketing into the cloud?

I love this question simply because it means I’m making progress getting companies up to speed on their IT requirements. What set this encounter apart was the unexpected question that followed: “What about the sovereignty of our data?”

I have researched data sovereignty issues for my clients since the NSA's PRISM project first hit the news - and I think I’m about ready to answer this question. So let’s take a look at what I’ve learnt about data sovereignty.

It’s not about who owns your data

First, we need to establish this: It’s NOT about who owns your data. With few exceptions, the EULA (that lengthy end-user licence agreement) of every cloud service explicitly states that you retain ownership of all data.

The key lies in the word "sovereignty". Dictionary.com defines it as “supreme and independent power or authority in government as possessed or claimed by a state”. So when we refer to data sovereignty we are actually referring to who has supreme power and authority over your data.

Every business is subject to the laws of the city, state and country in which they practice. They are required to satisfy audit requirements for taxation authorities, and in locations where there is a relevant authority, for data security as well. This is part of the cost of doing business and we all understand that some of the data we provide these companies will be forwarded, when deemed necessary, to the relevant authorities for purposes they deem necessary.

Do you know to whom your cloud service provider is sovereign?

In almost every EULA created by a reputable company that I’ve ever read there is a section that looks something like the following:

Excerpt taken from the Microsoft Services Agreement on 9 July, 2013 (click to enlarge).

Section 5.3 is what we’re really interested in. It’s worded lightly enough to make you think that when Microsoft talks of offering up your data to “government entities” it means the government in the location in which you reside. Are you willing to bet your entire career or business guaranteeing that IT vendors do this? I am certainly not. When evaluating any cloud service provider we should ask these questions:

  • Is there a government to which they are sovereign?
  • Is this government a “Foreign Power”?
  • Is our data now sovereign to a foreign power even though we specifically retain ownership of that data?

Know your privacy requirements and limit your liability

Every small and medium-sized enterprise that deals with data from the public is no doubt aware of the privacy requirements of their jurisdiction. Today’s clients are more privacy-aware than any group of consumers has ever been before. And thanks to our US brothers they are also the most litigious they’ve ever been. They know their rights and expect to have their privacy protected with more skill, forethought and panache than ever.

How can we protect our client’s data when it’s subject to the sovereignty of a foreign power? Especially if we believe the hype surrounding PRISM, when that foreign power has carte blanche access to our data without advising us it has done so, and gagging the cloud service provider from telling us?

I wish there was an easy answer to this question. Put simply, we cannot guarantee the ultimate level of privacy required by our clients when using a cloud service that is sovereign to a foreign power. I am not just referring to US-based cloud services here: I’m no more trusting of services from Asia or Europe.

In effect, this leaves my clients with two options:

1. Get a hybrid solution (totally unfeasible for 95 per cent of my clients because of cost); or

2. Don’t use a cloud service at all. This is also unfeasible for a large percentage of my clients. There are some things it just makes sense to use the cloud for.

When answering the question for my client, I told him what I tell every client: I cannot guarantee the safety of any data that is transferred anywhere around the world. I cannot guarantee the safety of any data that sits on a physical server. I have never provided a 100 per cent guarantee of anything and I never will. Any one of a trillion possibilities could occur and render null and void every security precaution we have taken.

Even so, there is good reason for me to worry. We have a duty of care to our clients to ensure that, as much as possible, our client’s data, and its sovereignty, is protected.

So how do we proceed then? Here are my recommendations for maintaining the sovereignty of data belonging to you and your clients.

1. Go local when and where you can. For some countries this will be a difficult proposition. But it’s getting easier as cloud services trickle down and your local vPosse will be able to help with recommendations.

2. When going global, maintain data sovereignty awareness. Sometimes, you just can’t go local. Read the EULA and do your homework.

3. Make your clients aware of potential issues with data sovereignty. Get liability waivers signed by the client. Even with the current absence of law, they should be enough to save your ass.

Data sovereignty is a loaded gun. It’s an issue just waiting for a test case. Protect yourself and your clients lest you be the one setting the precedents And for all our sakes, read the EULA. Ignorance is NEVER an acceptable excuse. ®

Reg reader Aaron Milne supplies IT system architecture, R&D, sysadmin and contract evaluation services to SMEs. He lives in Brisbane, Australia.

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.