Feeds

Sysadmins: Keep YOUR data away from NSA spooks

Hide cloudy bytes away with our data sovereignty checklist

Intelligent flash storage arrays

Readers' corner During a meeting this week I had a question put to me that almost every client asks at some point: will our data remain our data even after we send it rocketing into the cloud?

I love this question simply because it means I’m making progress getting companies up to speed on their IT requirements. What set this encounter apart was the unexpected question that followed: “What about the sovereignty of our data?”

I have researched data sovereignty issues for my clients since the NSA's PRISM project first hit the news - and I think I’m about ready to answer this question. So let’s take a look at what I’ve learnt about data sovereignty.

It’s not about who owns your data

First, we need to establish this: It’s NOT about who owns your data. With few exceptions, the EULA (that lengthy end-user licence agreement) of every cloud service explicitly states that you retain ownership of all data.

The key lies in the word "sovereignty". Dictionary.com defines it as “supreme and independent power or authority in government as possessed or claimed by a state”. So when we refer to data sovereignty we are actually referring to who has supreme power and authority over your data.

Every business is subject to the laws of the city, state and country in which they practice. They are required to satisfy audit requirements for taxation authorities, and in locations where there is a relevant authority, for data security as well. This is part of the cost of doing business and we all understand that some of the data we provide these companies will be forwarded, when deemed necessary, to the relevant authorities for purposes they deem necessary.

Do you know to whom your cloud service provider is sovereign?

In almost every EULA created by a reputable company that I’ve ever read there is a section that looks something like the following:

Excerpt taken from the Microsoft Services Agreement on 9 July, 2013 (click to enlarge).

Section 5.3 is what we’re really interested in. It’s worded lightly enough to make you think that when Microsoft talks of offering up your data to “government entities” it means the government in the location in which you reside. Are you willing to bet your entire career or business guaranteeing that IT vendors do this? I am certainly not. When evaluating any cloud service provider we should ask these questions:

  • Is there a government to which they are sovereign?
  • Is this government a “Foreign Power”?
  • Is our data now sovereign to a foreign power even though we specifically retain ownership of that data?

Know your privacy requirements and limit your liability

Every small and medium-sized enterprise that deals with data from the public is no doubt aware of the privacy requirements of their jurisdiction. Today’s clients are more privacy-aware than any group of consumers has ever been before. And thanks to our US brothers they are also the most litigious they’ve ever been. They know their rights and expect to have their privacy protected with more skill, forethought and panache than ever.

How can we protect our client’s data when it’s subject to the sovereignty of a foreign power? Especially if we believe the hype surrounding PRISM, when that foreign power has carte blanche access to our data without advising us it has done so, and gagging the cloud service provider from telling us?

I wish there was an easy answer to this question. Put simply, we cannot guarantee the ultimate level of privacy required by our clients when using a cloud service that is sovereign to a foreign power. I am not just referring to US-based cloud services here: I’m no more trusting of services from Asia or Europe.

In effect, this leaves my clients with two options:

1. Get a hybrid solution (totally unfeasible for 95 per cent of my clients because of cost); or

2. Don’t use a cloud service at all. This is also unfeasible for a large percentage of my clients. There are some things it just makes sense to use the cloud for.

When answering the question for my client, I told him what I tell every client: I cannot guarantee the safety of any data that is transferred anywhere around the world. I cannot guarantee the safety of any data that sits on a physical server. I have never provided a 100 per cent guarantee of anything and I never will. Any one of a trillion possibilities could occur and render null and void every security precaution we have taken.

Even so, there is good reason for me to worry. We have a duty of care to our clients to ensure that, as much as possible, our client’s data, and its sovereignty, is protected.

So how do we proceed then? Here are my recommendations for maintaining the sovereignty of data belonging to you and your clients.

1. Go local when and where you can. For some countries this will be a difficult proposition. But it’s getting easier as cloud services trickle down and your local vPosse will be able to help with recommendations.

2. When going global, maintain data sovereignty awareness. Sometimes, you just can’t go local. Read the EULA and do your homework.

3. Make your clients aware of potential issues with data sovereignty. Get liability waivers signed by the client. Even with the current absence of law, they should be enough to save your ass.

Data sovereignty is a loaded gun. It’s an issue just waiting for a test case. Protect yourself and your clients lest you be the one setting the precedents And for all our sakes, read the EULA. Ignorance is NEVER an acceptable excuse. ®

Reg reader Aaron Milne supplies IT system architecture, R&D, sysadmin and contract evaluation services to SMEs. He lives in Brisbane, Australia.

Beginner's guide to SSL certificates

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
Turnbull should spare us all airline-magazine-grade cloud hype
Box-hugger is not a dirty word, Minister. Box-huggers make the cloud WORK
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.