Cloud Security & Data Sovereignty After Edward Snowden

The August issue of The Data Center Journal (get the PDF here) features a cover story I wrote based in part on IO’s most recent white paper, C-Suite Primer on Data Sovereignty & Data Custody. I encourage you to read the article and – if you’re looking for a deeper dive – to check out the white paper.

In this blog post I want to first highlight some insights from the other articles in this month’s issue of The Data Center Journal (which centers on security). And then I want to share what’s happened in the market since I last wrote about data sovereignty in a post-Snowden world.

Data Center Journal August issue: focus on data center security

  • In Designing Reliable Physical Security for the Data Center, Jeffrey Clark reminds us that while logical security is more often discussed, physical security of the data center – whether it’s in-house, colocated, or cloud – is equally important. “Maintaining adequate security – like any system in the data center – requires preventive maintenance, testing and training of employees in a well-developed security policy.”
  • In Tackling Today’s Security Threats, Paul Burns reminds us that data security is as much about security policies for human users as it is about logical protections. “It’s a little clichéd, but you are only as strong as your weakest link; and for many that’s the human interface – that is, the users – and hackers are just as likely to use social-engineering techniques and manipulation as they are to deploy malware and botnets.”
  • In Security in the Cloud, Rob Carter reminds us that cloud customers share responsibility for data security with their cloud service providers (that’s a topic IO addressed here). “Data-privacy responsibility falls on both the CSP and the customer. CSPs offer support for encryption of data and secure channels for data transfer and data backup.”

Though Edward Snowden himself has been out of the headlines for a couple of months, the ripple effects of his revelations of NSA surveillance continue. Most recently:

  • On July 31st Microsoft lost an appealin U.S. district court over a government search warrant for emails held on servers in one of the company’s Irish data centers. Supported by a host of other prominent technology companies, as well as AT&T and Verizon, Microsoft said it would appeal the ruling. In a court filing, the company argued that “Over the course of the past year, Microsoft and other U.S. technology companies have faced growing mistrust and concern about their ability to protect the privacy of personal information located outside the United States. The Government’s position in this case further erodes that trust, and will ultimately erode the leadership of U.S. technology companies in the global market.”
  • In June, the German government announced that it would end its contract with Verizon, signing a new contract with Deutsche Telekom. The government cited the cooperation of American companies in U.S. government surveillance, which was revealed last year by Edward Snowden. And Verizon is not the only American company taking a hit. Forrester estimated last September that the NSA disclosures could lower U.S. technology sales overseas by as much as $180 billion by 2016.
  • In a bit of better news, the European Central Bank announced last week that it would not follow Germany’s lead, but would stick with Verizon. Still, governments in Europe and Latin America, in particular, remain wary of doing Internet-related business with American companies, assuming (fairly or not) those companies’ complacency with NSA spying.

 

It is clear that data sovereignty cloud concerns persist more than a year after Snowden’s initial revelations. But data sovereignty and data custody are not the only important cloud security issues. Physical security and the human interface are equally critical. On all fronts it is both the customer and the provider who are responsible for securing their data in the cloud.

Want to learn more about data sovereignty in the cloud? Download C-Suite Primer on Data Sovereignty & Data Custody