 |
Canada: Understanding Cloud Computing’s Risk |
| Source: |
itworldcanada.com |
| Source Date: |
Tuesday, September 23, 2014 |
| Focus: |
ICT for MDGs
|
| Country: |
Canada |
| Created: |
Sep 29, 2014 |
|
“Fortune favors the brave,” the CEO barks. “Once bitten, twice shy,” the CIO snaps back. When the question becomes whether to buy into cloud computing or fretting over data sovereignty, what’s a company with big global ambitions to do?
On this leaky but still promising post-Snowden planet, many IT professionals around the globe have taken a persnickety, even a gun-shy, attitude about hosting data in a nebulous cloud—a cloud that often touts a key selling point as hosting sites around the globe.
Not helpful to the hopes of the global cloud providers are claims made by various tech hucksters regarding the perils of data sovereignty, typically on behalf of the most local data hosting residency of all.
Especially because of these data sovereignty perils, would-be purchasers often fear engaging in cloud computing at all, their concerns largely formed by paying attention to media eager to monger fears.
Silicon Valley is betting that those fears won’t hold.
The claims by the fearmongers run the gamut from somewhat credible to singularly outrageous. One even had Oracle head Larry Ellison not “getting” and not trusting the cloud – although his company makes well over a billion on it. Another had Microsoft shying away from the words “the cloud” too much in press releases enough to demonstrate real faith in it.
Along with the media-fueled insecurities come stories of prospective abuse that aren’t anchored in specific cases, but the mere prospect of problems. Apple’s recent capitulation to the Chinese government to store data generated by Chinese users in China itself is one example. Could the Chinese feel secure in the promise, then, that the Chinese government wouldn’t be peering into their data and communications? Industry observers noted that Apple reassured all that it “takes security and privacy very seriously”—which we were all just dying to know.
There was no actual breach of security, nor a particular request for data by a government, but the mere prospect of one. But the story, which only confirmed suspicions but of the usual distrust of government, gained traction throughout online media.
The fact that not only IT professionals at flush companies, but hackers, bloggers, predators, Occupiers, and even some journalists want to know more about the cloud, especially your cloud, and mostly for the wrong reasons, gives an IT officer pause. So do the flavors that clouds come in: is it public, private, a hybrid, or a government-styled “community” cloud you’re being asked to buy?
Those are easy determinations to make, if sometimes painful ones to explain. But complicating the growth of (or some would say the surrender to) cloud computing is the often abstruse charge of vulnerability to data sovereignty-based legal issues. The fact that every stripe of cloud not only resides in a different kind of jurisdiction, but also resides in business imagination in a place that is not only imprecise but perpetually vulnerable as well, speed the data sovereignty arguments along.
And thus it’s data sovereignty that has now become the top barrier of entry for would-be cloud denizens.Some cloud providers, recognizing the widespread concern, have even decided to play up the concerns as part of their marketing. Consider this caveat on the brochureware of VCE, a “leading provider” of cloud services:”However, some customers facing geopolitical issues, data sovereignty regulations, and growing complexity in securing large, distributed IT infrastructures requested a private cloud solution that could be hosted in their own data centers to retain full control of underlying security data. Using pre-engineered VCE Vblock Systems, Qualys was able to create a private cloud solution for deployment at customer sites.”
This is the promise, and even some of the language, of the kinds of folks who use your media-fueled insecurity about clouds to their advantage. It is a similar language to the land use consultant or the import-export analyst, the man or woman who professes to be able to turn your international-scope ambitions into a matter of knowing your local city council member.There is no question that cloud computing is real, nor that it works; in fact, it has been working since the 1950s. Some of us remember receiving keypunch cards with hidden and presumably sensitive data about ourselves in the mail. Tech paranoiacs among us to wondered if an invisible but omnipresent Big Brother had taken over at last, in the form of an IBM mainframe, situated in some sinister, secret location, running the tapes that punched the holes. And it was the early private corporate clouds and their manageable and malleable data on customers that made marketers salivate at the prospect of neural networks in the ’80’s and ’90’s, the kind of algorithms that produce limitless opportunities for our social media sites today.But cloud computing was far more sharply defined while being made simpler to buy, by Amazon, which in 2006 unleashed an “Elastic Compute Cloud” on an unsuspecting, developer-oriented B2B public. Where the data were actually being stored wasn’t as large of a concern back then. But since that time, business and governments have been obliged to ponder how much they might save—and how much they might risk—by migrating data and tech products out of their own data centers and into another company’s and even another nation’s nebulous digital ether.
Many security concerns affecting cloud computing (even the mainstream ones) had already been largely overcome by private financial service developers. It was only a matter of adaptation of some of the very secure (and very costly) transactional financial coding and encryption to more general kinds of networks that made migrating to clouds possible for more companies. But pumping the breaks on widespread adaptation for many businesses has been the persistently growing issue of data sovereignty.
The European Journal of Law and Technology’s adroit 2012 paper “Cloud Computing, Centralization and Data Sovereignty” by Primavera De Filippi and Smari McCarthy examined two entirely divergent cloud computing case studies: hugi.is, an interest-based social network in Iceland, and Facebook, the global hyperforce known to a third of the planet. It predictably found that cloud computing “does not come without costs” and that “the control is all in the hand of few corporate entrepreneurs.”
Ultimately, the authors agreed that “greater awareness of privacy and data protection issues amongst users are amongst the methods which can be employed to reduce the risks inherent in Cloud Computing.”
For what it’s worth, Amazon’s own definition of cloud computing as “the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing” certainly discloses exactly how any cloud provider hopes to make money off of it: by extending to you the opportunity to pay a monthly bill for services rendered. Amazon also notes with its usual smug honesty that cloud computing basically outsources your data centre: “cloud computing lets you focus on your own customers, rather than on the heavy lifting of racking, stacking and powering servers.” it is like a file keeping service for corporate bytes.Silicon Valley, of course, has resolutely wagered that fears of data sovereignty problems will pass. “Cisco Buys Metacloud As Big Companies Suddenly Hot For Cloud Startups,” blared a headline at TechCrunch September 17. And the bets have been made with justifiable reason: the fact that even in slow-to-adapt Commonweath countries, data sovereignty has more recently been relegated to the realm of risk management.
And in a legal paper for top IT executives from late last year out of Australia and New Zealand, “Data Sovereignty and the Cloud: A Board and Executive Officer’s Guide,” aspired to address “insurance risk issues around ‘data sovereignty'” and to “assess and minimise this risk.”
Are organizations too worried about data sovereignty to take full advantage of cloud computing?In short, the question becomes: Do you trust Amazon? Do you trust Google, Cisco, Apple, Microsoft? If so, you’ll join them and not fret so much about data sovereignty.Or do you trust the guy in the suit down the street, with the brochureware you first came to read about cloud computing? If so, you’ll sleep easier with the knowledge that your cloud is in your company’s own jurisdiction.Or do you trust only your own IT team and none of the above? If so, then only a private cloud will do.Nearly all corporate questions become this much, or this little.
In the end, the cloud will provide the same service that shipping sensitive redwells off to a file keeping storage unit once did. Whether they end up a mile away or somewhere in Iceland is the consequence of how much or little you worry about such hosting.
Security and tampering assurance, rather than data sovereignty assurances, will remain not only the best value proposition for most, but also the best practice among cloud service providers.
(By Jeremy Page)
|
|
|