Paranoid about the NSA? The case for dumping cloud's Big 3

It's about ease of use, stupid

The most obvious reason to stand up a regional cloud is to meet requirements that simply can't (or won't) be met by the three big American cloud providers (Amazon, Microsoft and Google). Chief amongst these are data sovereignty, regulatory and legal concerns.

Data sovereignty is an issue regardless of how many data centres around the world a company holds. Microsoft's Irish fracas is a great example of this issue. If a company is headquartered in the US, then they may be beholden to American law, regardless of where their data centres live.

The same is true of any company, headquartered anywhere. A Canadian company with a data centre in Europe will be beholden to Canadian law, European law and the law of the country where the datacentre in question is located. That's before we look at who is intercepting data as it transits from A to B.

Oddly enough, there are a lot of companies (and a growing number of consumers) that just don't want to deal with this. Cloud computing is supposed to make life easier. Trying to cut through who owns your data, who can look at your data, who can subpoena it, when, where and why – and whether or not they'll tell you about it – is just too complex.

How can a small business look a regulator in the eye and say "yes, we're compliant" when in all honesty even the regulators don't have the foggiest clue whether or not storing our data elsewhere is legal. Canada has been issuing mixed signals on this for ages, and the EU is currently duking this out in various layers of courts and political backroom dealings.

Choosing your local ISP's cloud gives you a better-than-average chance that your data won't leave your own local jurisdiction and shouldn't come under the laws of another nation. Unless, of course, your ISP sub-contracts their cloud services to one of the big three. That's something you should ask about before purchasing.

Perhaps more to the point on all of this: the "privacy versus security" battle has only begun. Much like it took decades to hash out other major cultural changes (feminism, LGBT rights, the adoption of basic civil liberties for peasants), this will run for a long, long time before the people grind down the machine.

If history is any guide, we'll get a massively paranoid security state in virtually every jurisdiction that will slowly – and probably over the course of the next three generations – be beaten back by civil liberties activists. Then will come reactionary ultra-conservative jurisdictions that will try to make it illegal to store your data in jurisdictions that respect privacy. Then, after enough time, civil liberties will (hopefully) win.

So even if it is legal today to place your data elsewhere, it may not be tomorrow. Why risk it, especially if that data is only for internal consumption in your organisation?

But, but... encryption

The counter argument to data sovereignty, regulatory and legal issues is almost invariably some sort of magical encryption world. Upon inspection this almost always falls down.

Microsoft evangelists will quickly stand up and start talking about how (some parts, but not remotely all) of Microsoft's cloud services can be secured using encryption where you control the encryption key. They get real quiet when you start asking about price, applicability to small businesses, or why businesses should trust the encryption system in question.

If you're worried that, for example, the American government can't be trusted to respect the privacy laws of your nation, then I'm not sure a key management system that is run as a cloud service on Microsoft's cloud is really something we're going to trust to protect our encryption keys. Or, for that matter, that the whole system hasn't been back-doored from the start.