The Internet may be global, but cloud computing, like most politics, is local — or should be, according to experts who say a cloud location must adhere to country-based privacy and data security regulations.
Unfortunately, many organizations that have braved the public cloud don’t know where their data resides, which could set them up for cumbersome compliance problems, according to Forrester Research Inc. in Cambridge, Mass. And that’s the good news — some infractions may result in stiff fines or even jail time, say Forrester analysts James Staten and Onica King, co-authors of an Infrastructure as a Service report warning IT executives that IaaS clouds are not responsible for regulatory compliance. “These issues remain the responsibility of the customer, and ignoring them may be perilous for any multinational or non-U.S. corporation,” they wrote.
In the United States, for example, health care organizations are hamstrung by HIPAA, which prevents certain patient information from residing on servers outside the country. In Canada, a similar privacy act could prohibit companies from contracting with a cloud provider in the U.S., said Danny Terrigno, an IaaS storage expert. “Storage is a key cloud application, but in Canada, any data that is personal cannot leave the country,” he said. “So if it goes on a server in the United States, the [Canadian] government will come after you for that.”
Once again, get it in writing
Ben Schorr, a lawyer who blogs on law office technology, notes that many of his clients might be willing to try cloud computing but are very concerned about their sensitive data being located (or outsourced) to data centers in “unfriendly” countries, or countries where laws on data privacy are somewhat undefined. “Even if we conclude (as we probably should) that the fourth amendment DOES protect hosted email and other data, that still leaves open the question: ’What does the fourth amendment protect in Malaysia? Or China? Or Peru?’” he wrote. SaaS providers are going to have to provide assurances that their data is going to stay domestic if they hope to host data that is at all sensitive in nature, he said.
“There are some things companies need to watch out for,” admitted Archie Reed, distinguished technologist and chief technologist for cloud security at Hewlett-Packard Co. “There’s no liability [for cloud providers]. There’s no recourse if contracts don’t mention that the architecture may change on the back end and outsource to India, yet you’ve got something that requires your data to remain in a geographic location. Unless you’re looking at all those things and have negotiated it properly, you have no controls.”