In my previous post I espoused why IT infrastructure sucks. Many of you pointed out that “The Cloud” was the answer. Amazon Web Services is the market leader for IaaS clouds so I’m writing a series of posts documenting the hurdles (I think I’ve found eleven!) to overcome if you want to use AWS and experience the wonders of a truly on-demand infrastructure.

The first is the issue of…

Data sovereignty

passport by One-Fat-Man (via Flickr)

Data sovereignty is basically concerned with where data copies are located, how it is used, and your legal control over it.

Company data sent to a cloud provider can be located in, or transmitted through, multiple countries with different laws. The data has a different legal posture at each stop along the way.

Countries typically have laws governing Data Privacy, Compliance, Retention, Availability, Breach Notification and Data Subpoena powers. But these laws rarely match up with each other.

Privacy generally relates to personal and confidential information and examples include health and financial information. Different countries have different laws for protecting privacy of data records and different requirements of its people and organisations.

Compliance refers to standards and laws such as Sarbanes-Oxley, PCI-DSS and corporations laws. The effect of compliance is to encourage best security practice on an IT operation including physical security, security processes, system configuration and auditing. Compliance is difficult enough to achieve on-premises. Achieving this across a global cloud infrastructure can be brain-numbingly complex and difficult to audit. See this article about PCI-DSS compliance in the cloud.

Data Retention is about being able to recover company records from a “long” time ago.  Typically an application used to create the data records will have been retired or upgraded. The data records will therefore not be retrievable without firstly recovering the version of the application that generated them. This problem has been solved in some respects by data-archiving systems that regularly migrate data in a readable/standard format. But currently archiving is immature on Cloud platforms like AWS. Cloud applications are inherently upgraded in a rapid cycle and end-users won’t have the ability to recover old versions of the platform for data access purposes. The questions to be asked are: Can I get my data out regularly in a standard format? And will I be able to access this information many years down the track?

Data Availability is more complicated in a cloud environment primarily because there are more entities involved in providing a cloud platform. The legal availability requirements of data need to be understood and contracts with providers carefully assessed so that it can be met. For example if a customer’s banking records were hosted in an overseas AWS region and became unavailable, where is the accountability?

Breach notification laws vary around the world. If your data is stored in Amazon and there is a breach, does Amazon have to disclose the fact by law? If your CIO comes and asks you if your cloud data was breached, would you shrug your shoulders and say, “I don’t know”? The US and Europe have had breach notification laws for several years while other countries like Australia have lagged.

Data Subpoena is a most interesting sovereignty issue. Nation states have used economic reconnaissance for advantage for eons. States and their corporations are rightfully concerned that another sovereign state could access their data. A current example is the US concern about Chinese hacking efforts. Another is that Amazon, being a US company, falls under the Patriot Act and must secretly disclose information to the US government if requested, even if the data is not physically located in the US. Other countries have similar laws for national security reasons. There is reasonable suspicion that economic espionage will be used for advantage and therefore represents a sovereign risk.

Data is the currency of business. When your data leaves your premises, you potentially lose control, oversight and therefore business advantage. How do you solve this problem? What controls can you put in place? Please share you thoughts