Data ownership becomes fuzzy in the cloud

If Facebook has taught us nothing else, it is that people can be cavalier about protecting their data.

The social networking giant has forced consumers to think differently about their data: have I just handed over the rights to the photos of my kids? Am I going to appear on my friends' pages endorsing fashion leggings thanks to a throwaway remark about “legging it” to catch a bus?

In the same way, cloud computing forces companies to re-evaluate what data ownership means.

After all, when it comes to migrating critical company data to the cloud, no one in their right mind would sign a contract that gave away ownership of that data, would they?

Turns out, the question is not so simple to answer. Reg reader “Jerren” gets to the crux of the matter in this comment:

“More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why, you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you lose your servers (easy to replace) and the SANs (a little harder to replace, and will take a while), but your backups as well!

“Possession is 9/10 of the law. In the US the hosting provider owns the servers, the storage, and the backups. In many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.”

In March 2011, the UK’s National Computing Centre published research highlighting data control issues as a serious obstacle to cloud adoption in the UK.

No surrender

Although respondents were keen on the cloud concept, surrendering control of data ranked as their biggest concern. A lack of common security standards and portability of data were also highlighted.

Gary Jensen, lead consultant at Silversands, a Microsoft partner based in Poole, says the problem is that although cloud is increasingly mainstream (defined as a technology one’s parents start to enquire about), it is still immature, especially on the non-technical front.

In the scenario outlined by Jerren, Jensen says it is not at all clear what a company could do to manage or mitigate the risk.

Beware bombs

He describes it as “an absolute legal minefield to which there are no clear answers”, and thinks that in some companies the lawyers could end up in charge of the IT policy.

“If the server is an off-premise private cloud then any data will be completely independent of any other company’s data at the application level,” he says.

“But they could be stored on the same disk subsystem – how the data was seized might define whether or not data from two or more companies was taken.

“There are different implications based on the application or solution itself; how its data is architected, separated and managed; how the storage solution is configured to support it, and at what level a data seize would occur (application export, application database level or storage level); whether the data seize would render the application unusable; what country the data is located in and which jurisdiction applies."

For Conor Callanan, chief executive of UK reseller CoreGB, jurisdiction is the key to solving the problem. He recommends keeping data in the EU.

“In the US, they can walk in and grab the servers

“The EU and the US have very different laws about access to data,” he says. “In the EU, law enforcement has to make a request for data, which the hosting company downloads and hands over to the authorities.

“In the US, they can walk in and grab the servers. Safe Harbor agreements don’t come in to it. Store your data in Canada, Latin America, anywhere you like, but not in the States.”

If a company cannot accept standard liability waivers, or needs forensic examination rights, for example, the requirements could quickly go beyond those a hosting company is prepared or able to accommodate on a public cloud system.

When does it get to a point where it no longer makes sense to move into the cloud?

“In the end, the decision factors for any organisation wanting to go into the cloud will need to include these considerations, and it may well be that it doesn’t make financial, legal or compliancy sense to move away from locally managed infrastructure,” Jensen says.

Moment of truth

The cut-off point for customisation is where the costs approach those of running a private cloud. Once you get there, why switch to a cloud service at all?

A private cloud can be cheaper, simply by virtue of geography. But there are considerations that go beyond cost savings: companies still move from capital expenditure to operational expenditure, and they don’t have the hassle of managing the data centre themselves.

As Callanan says, “People have been doing this for years, they just haven’t called it cloud.” ®