Almost two years ago, I blogged about a conversation I had with Martin (“Tall Martin”) Buhr about Cloud Security. At the time, he was the European head of Amazon’s Web Services, and he has recently moved on to Nimbula (“the Cloud Operating System company”) as head of sales and business development, but his words came back to me during an analyst panel at RSA Conference in SFO, where I shared the rostrum with Eric Maiwald of Gartner and Jonathan Penn of Forrester and during which we touched on regulation issues that could block the development of Cloud Computing.
In Europe, the case is very clear: The European Data Protection Directive only allows personal data to be transferred to so-called “third countries” if that country provides an adequate level of protection. The most prominent third country is, of course, the United States which chooses for reasons we needn’t get into here to refuse individuals the right to control their personal data the way Europeans can.
In the age of packet switching, nobody can be sure some piece of information won’t make a hop over to New York or San Francisco on its way from, say, London to Frankfurt. That is the charm and the wonder of TCP/IP, that data will always find a workaround if some part of the net is blocked, clogged or restricted. The original scenario, of course, was a Russian attack on the U.S. military’s communications infrastructure, and the thing data packets were supposed to get around were gaping, radioactive holes in the ground where major U.S. cities (and telephone hubs) once stood.
Thankfully, the clear and present danger of such doomsday scenarios has faded somewhat, but the principle behind TCP/IP remains: It is almost impossible to restrict the flow of data anywhere in the world, short of shutting down the entire Internet, as the authorities in Egypt and Iran have done, or erecting gigantic electronic barriers like the Great Firewall of China.
Since in the age of Cloud Computing, nobody really know where on earth their data are at any given moment (that’s the charm of Cloud Computing, after all!), any European CEO who allows personal data about customer or employees to be stored in the Cloud can be seen as having one foot in jail. Let an auditor or a police investigator find that data residing outside the physical boundaries of the EU, then the CEO’s number is up. And he can’t pass the buck on to his CIO, because managerial liability doesn’t work that way. It’s his call, and if he didn’t keep his CIO on a leash, then tough luck!
Tall Martin told me that Amazon had found a way to solve this problem, albeit in a very lavish and expensive manner: They operate two clouds! One is based in Dublin, Ireland, and services Amazon’s customers on the EU, the other does the job for all those third countries out there, and never the twain shall meet. Just how they accomplish this remains a mystery to me; Tall Martin talked about “regional IP addresses” and “storage buckets”, but if you ask me, there has to be a certain amount of magic involved here, too.
Which brings me back to the RSA Conference. A number of exhibitors there, including Sophos, Trend Micro and Goldkey demonstrated (or talked about) ways to automatically encrypt all the data that is sent out for storage in the cloud. Actually, people have been doing this for quite a while, but possibly not in such an organized way. The idea is, that your provider should not be able to look into your data, but simply store it until you need it, in which case you bring it back and decrypt it so that you can use it again on your internal systems.
This sets a number of restrictions on the way data may be used in the cloud, since it is impossible to for applications to access it, which kind of defeats the purpose of Cloud Computing as I understand it. But hey, if all you need is a safe place to stockpile some bits, then I guess it’s okay.
However, there is another side to this, which we discussed in San Francisco, namely the legal issue of complying with European data protection law. The vendors I talked with at RSA all shared the view that, if it’s encrypted, then it’s okay to store stuff anywhere you want, including in such third countries as the United States. Since nobody can tell whether there is any personal information in these locked-up data packages, how cares where you store them?
I’m not so sure, and I said as much during our panel discussion. Afterwards, a few folks in the audience came up to me an pooh-poohed my doubts, saying that in fact this is a wonderfully elegant way to get around the cultural differences between the Old World and the New. I am curious to know how the auditors will see this if and when Cloud Encryption really starts to take off sometime this year. Maybe I will have an answer by the time we meet for the European Identity Conference in May. See you then!