Blog Post

Data sovereignty issues still weigh on cloud adoption

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Large enterprises that embrace cloud computing for many tasks still refuse to use public cloud infrastructure for key jobs because of what they see as restrictive data sovereignty regulations.

These laws, which are proliferating in countries around the world, according to attendees of this week’s Forecast 2012 event in New York, mandate that a company keep a customer’s data in that customer’s home country. One oft-cited reason is to prevent that data from being subpoenaed by a foreign power (read: the U.S.)

And that factor is the biggest difference  between an enterprise’s virtualized data center and a public infrastructure as a service, said  Matt Louth, principal security architect for the National Australia Bank.

Multiple regulations governing where a company can store customer data means that multinationals have to field data centers in every country where they have a presence — a trend that flies in the face of the appeal of borderless clouds.

With these rules, the fact that data lies within the control of the enterprise is absolutely key, said Ian Lamont, IT security specialist at BMW. A photograph from a brochure can live anywhere, but customer data or the company’s crown jewels? No way, he said. “Companies don’t feel they have the relevant levels of control, management, visibility,” from their cloud providers about where data will be stored, he said.

It doesn’t help for a bank to hear its customer data will be in this European cloud “region.” Not specific enough.

Andrew Stokes, chief scientist of Deutsche Bank Global Technology brought up the same issue in another keynote Wednesday. “There are so many regulators and regulations — we need to be safe. Every geography has its own unique sector and laws.”

“We’re in 75 countries I think. We need a superset of all these regulations that makes sense and that we can comply with,” he said. His hope is that the Open Data Center Alliance that sponsored this week’s event can help with that.

One of his takeaways was that cloud service providers have to be able to meet regulatory obligations specific to the business sectors they address in auditable ways, he said. “Cloud customers must have the right of audit, we have to assess and assert that we’re meeting our regulatory obligations.” For them to be able to do that, they must have the documentation from their cloud partners.

This is a topic that will keep cropping up, including at next week’s GigaOM Structure conference. Unless and until the various rules and regulations converge or cloud providers can provide detailed assurances of exactly where data will reside, a good chunk of business will stay on premises or in private clouds

Photo courtesy of Flickr user Todd Ehlers

4 Responses to “Data sovereignty issues still weigh on cloud adoption”

  1. At Lazu, we agree. And that is why we are trending against the industry and aiming to achieve two things. First and foremost, cloud is a way of life. It means, I want a great user experience, as good as I feel as a consumer. I want to turn on technology and see it work. But, I live in Asia. I want to see it delivered by a local I trust. Someone who I can call and call my mate. Lazu understands this. That is why we are committing to building the best, most automated and widely distributed cloud in Asia and the Middle East. At least across 10 countries! You’ll be hearing a lot more about us soon…

  2. Leo Leung

    This is an important topic, Barb. Most of the discussion around the cloud has created a false premise that data must be surrendered to the provider of the cloud service. While in some cases this may be an explicit requirement (backing up data to an offsite facility), in many other applications this is a false tradeoff. Most of the benefits of the cloud (scalability, elasticity, connectivity) can be leveraged while enabling customers to keep their data (using their own data storage). This gives the customer complete control over where their data is located. The technology is there to make it possible, though few vendors have productized it.

  3. Pierre

    The perception that data located in one geography is somehow subject to rules of that geography only is bordering on ridiculous. Extraterritorial claims made by some countries (such as US’ Patriot Act), international treaties allowing data sharing, and plain brute (and not so brute) force methods of getting at interesting data is what all businesses face wherever they are. The only way of your data not being likely compromised or exposed on the network is to get it off the network.