In this second issue of our new regular feature, The Buzz, we aggregate and summarize what people have been doing, saying and writing about data sovereignty in the cloud – to give you a quick 30,000-foot perspective.
Data sovereignty has been a topic of deep discussion around the water coolers here at IO lately. We recently finished work on the C-Suite Primer on Data Sovereignty & Data Custody: What You Need to Know. As we were writing the primer, there was debate about what “data sovereignty” really means.
Some argued that data sovereignty means that a company’s data is subject to the laws of the country in which it is located. But that may not be the case. Data sovereignty may instead mean that the data is subject to the laws of the country in which it originated, or the laws of the country in which the cloud provider is headquartered. In the cloud, data sovereignty can become an issue because different countries have different laws governing the collection, use, storage, and transmission of data within their borders.
So data sovereignty really is the question of which sovereign’s (i.e., country’s) laws govern your data. A related issue is that of data custody, which is about who controls your data. Essentially, who has the right – or the obligation – to hand it over if the government comes knocking?
Microsoft Fights Back Against Warrant for Data Held in Ireland Data Center
The issue of what data sovereignty really means has rushed the stage this week as Microsoft fights back against a government search warrant to compel the firm to turn over e-mails held in one of its Ireland data centers (the e-mails are said to be connected to a drug-trafficking investigation).
As the Washington Post reported, “The government argues that the location of the records is irrelevant under the Electronic Communications Privacy Act, the 1986 law on which the court relied to issue the warrant. Rather, it is the company that is the subject of the warrant, prosecutors say. Microsoft argues that for data held overseas, the U.S. government should abide by its mutual legal assistance treaties – agreements between the United States and foreign countries that typically require the requesting government to be in compliance with the other government’s laws. Irish law requires authorization from an Irish district court judge to obtain e-mail content from a provider.”
The stakes are high. Verizon, which operates data centers overseas, filed a friend-of-the-court brief in support of Microsoft’s position. Verizon argues that if the U.S. government is allowed to execute search warrants for data held outside the U.S. it could “cost U.S. businesses billions of dollars in lost revenue, undermine international agreements and understandings, and prompt foreign governments to retaliate by forcing foreign affiliates of American companies to turn over the content of customer data stored in the United States.”
At Cloud World Forum, Bank of England CIO Says “Buyer Beware”
At the Cloud World Forum this week, Bank of England CIO John Finch urged businesses to do their due diligence before adopting cloud solutions, particularly with regard to data sovereignty concerns:
“If you go to a partner to host your data, you need to ask questions. Do you know where the boxes it runs on are and do you know the legislation that covers those boxes? One well-known provider promises your data will stay in Europe. With this provider the boxes sit in a Nordic region somewhere. Who here knows Nordic law? Then you need to think about where they are domiciled. Even if that well-known cloud provider says ‘don’t worry’, if they’re an American company, your data is linked to the American Patriot Act. That means if the FBI or CIA want it, they’ve got it. Think about what you’re giving and when.”
Finch closed his presentation saying, “I may sound like a cloud denier. I’m not. It can offer great value, but don’t let the providers drive your strategy.”
That’s sound advice. Don’t let the providers drive your strategy. And make sure you know where your data is, including the data running in cloud applications and stored on cloud infrastructure. Where it is physically. As in, its GPS coordinates. At this moment.
Want to know more about data sovereignty in the cloud?
Check out this 1-minute video interview with IO’s Director of IT Security in Cloud, Lenin Aboagye. And stay tuned for our forthcoming C-Suite Primer on Data Sovereignty & Data Custody: What You Need to Know (subscribe to the monthly @IO newsletter to get the primer as soon as it’s out).