The continuing revelations by former US National Security Agency employee Edward Snowden about the extent of data surveillance are rumbling like thunder around the cloud computing industry. This is likely to be more than just a passing storm in a tea cup as there could be lasting repercussions on where cloud users and providers store their data.
Companies, governments and the European Parliament are starting to take a long hard look at the whole issue of data sovereignty which may well trigger a rush for securing data on home soil.
At this moment the European Parliament is considering a proposal to suspend the ‘US – EU Safe Harbor Framework’ currently in place and so prevent the data flows of EU citizens being passed to American companies – not only this, the motion is also calling for the creation of indigenous European clouds to promote more growth and greater trust in cloud computing services. Whatever happens, all of this is quite rightly putting far greater onus on a local data centre provider’s credentials.
But it will take an awful lot to be seen as a true and worthy home for storing data – whether it’s in the cloud or otherwise – as there is a growing realisation from both companies and government departments that onshoring and storing of data on home soil is preferable in the interests of security and privacy.
At the same time US-owned service providers currently holding foreign company data in their clouds are going to have to find local in-country data centre partners to reassure international customers their data will be on home turf from now on. Otherwise they risk losing significant levels of business from the likely fall out.
But as all data centres are not the same in terms of size and quality, these onshoring companies and their service providers face the added dilemma of which indigenous in-country data centres to choose. After all, in the interests of data privacy, they are more than ever going to expect to find proof of optimum levels of security and compliance, otherwise it would be a case of jumping from the frying pan into the fire!
From my own experience, I know just how discerning multinational customers already are about compliance and data privacy. Last year, for example, after an extensive evaluation of our security and data policies, a multinational cloud software provider specifically chose us to host the data it stores on behalf of its UK-based clients. This means that in both the public and commercial sectors companies can more easily meet local legislative and security standards.
So, while in the UK there are fortunately some very high quality data centre facilities there is also a surprising number still somewhat lacking when it comes to space and power, not to mention compliance and security. If it’s a third-party data centre operator, prospective customers must check there’s plenty of physical security, power and resilience, low latency connectivity and high quality onsite engineering support.
When evaluating data security and privacy credentials, ISO 27001 and PCI compliance should be a given, but for added peace of mind on confidentiality and privacy, look for their UK Government Impact Level (IL) accreditations which were introduced under the G-Cloud procurement initiative.
Investigate too the integrity of the provider’s operating and reporting procedures. SSAE16, for instance, also called Statement on Standards for Attestation Engagements 16, is a regulation that followed the Enron scandal of 2001. It was created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for redefining and updating how service companies report on compliance controls.