Data sovereignty: the risks of assumption
A worrying trend in cloud computing is the way that providers cloak themselves in secrecy with customer security as an excuse. They store third party data behind a virtual wall that enables their customers to select server capacity and pay for it by credit card, but aren’t always upfront about where your data will be hosted. In my opinion, that detail is so important it should be known to both parties.By now, almost everyone knows cloud computing democratises technology and enables business transformation, but your process for selecting a cloud service provider should be as rigorous as choosing a vendor for any other IT implementation.Don’t be lulled into a false sense of security by those who say the beauty of the cloud is that you don’t know where your information is.The Inland Revenue Commissioner’s recent alert about cloud computing turns the spotlight on customer attitudes to the cloud and the need to be clear about where your data is stored, if for no other reason than to fulfil your organisation’s legal obligations. The purpose of the Commissioner’s alert was to inform businesses that only financial records stored in data centers located in New Zealand comply with the record-keeping obligations of the Inland Revenue Acts. The IRD says it’s concerned the use of cloud computing may mean businesses are not meeting those obligations. Section 22 of the Tax Administration Act 1994 says New Zealand businesses have to keep sufficient records in New Zealand to enable the commissioner to readily ascertain information about their tax affairs.My advice to businesses evaluating cloud providers is to seriously consider hosting all intrinsic information — such as financials and intellectual property — with a New Zealand based provider.As a business owner I wouldn’t be comfortable hosting that information outside New Zealand, and I’d want to go further than seeing a website with a few photos and a verbal assurance that my data will be stored onshore, before choosing a provider. Cloud providers may give their customers the impression that they’re hosting their data onshore — and may indeed do that for a time — but this industry changes quickly. How can CIOs and IT decision-makers ensure their data remains within national borders in the long term?Enter negotiations with your exit strategy: If you give your data to this provider, how will you get it back, what happens if it goes out of business? What happens if you want to switch providers? You might not be parting on the best of terms, so who actually owns the data in the event of a termination? Be sure there’s a clause that makes this clear. Some agreements go so far as to change ownership of the data.It’s impossible to guarantee the physical location of your data without entering into a service level agreement (SLA). In many cases, cloud providers work on a "best efforts” principle, and that isn’t good enough. But even an SLA is useless unless monitored and reported on regularly. Remember, too, that unless you’re a large organisation or government agency, SLAs with overseas providers are largely unenforceable because the cost of mounting a legal campaign against them would be prohibitive.Be clear about the warranties in the SLA regarding provider liabilities in respect of your data. If your provider merges with an offshore company, your SLA has to protect your information and explicitly state where it is to be held in the future.Don’t leave anything to chanceMembers of InternetNZ have expressed concern that moving financial data to New Zealand may not be effective or efficient for businesses with overseas customers, but what controls do companies with offshore cloud providers have over the end use of their information, the resilience of the data center, its employees and the rule of law in the jurisdiction that would apply to any conflict that may arise?The questions you’d ask of a prospective provider should be no less rigorous than those you’d ask about an on-premises system. If you were about to invest in a new system you’d undertake due diligence upfront. CIOs shouldn’t stop applying the level of rigour they customarily apply to projects just because cloud is the trend of the moment.Don’t leave anything to chance. For example, don’t assume data in the cloud is automatically backed up or that it’s stored offsite. Ensure your data remains secure in the cloud by evaluating how the provider’s backup routine works, whether backups are stored offsite and what their business continuity plans are. You should be able to select data retention policies in your SLA.The reputation of your provider is probably the most important factor. Do the research. It won’t take long to identify a shortlist of three providers. Trust is a critical factor in cloud computing success. You might decide to commission an independent security audit.One benefit of choosing a New Zealand provider is jurisdiction. Your SLA is enforceable under New Zealand law and, typically, there’s a better match between the resources of both parties to the agreement.Meanwhile, the IRD has cautioned that if taxpayers are thinking of using cloud computing services they may need to obtain an assurance from their service provider that their data will only be stored in New Zealand data centers and be able to guarantee availability of their financial records. Cloud infrastructure in New Zealand is currently limited. Many New Zealand providers use overseas data centers to host their customers’ information. ICONZ not only hosts its cloud infrastructure and backups exclusively in New Zealand but also retains direct control by managing its own onshore data centers.What we’re doing may be a departure from the international trend of secrecy around cloud services, but I’m urging customers to subject all cloud providers to this level of scrutiny. Where your data is held should be stipulated in your SLA, not simply to pacify the IRD. Demand that your data be held in New Zealand for your own peace of mind, and hold your provider to it.Working in the cloud brings organisations real tangible benefits but it also raises questions, and it pays to ask them. Don’t rely exclusively on what one vendor says: there are enough independent consultants and cloud experts in New Zealand who can provide you with impartial advice. Engage with the cloud community to make the right decision.