It’s a common misconception that storing your data in the cloud isn’t as secure as keeping it in-house, especially if the cloud service provider is outside your home country.
While navigating the complex issue of data sovereignty takes some homework and due diligence, trusting your company’s digital assets to the cloud can actually be the safer option.
Edward Snowden, privacy and the NSA
Revelations from whistleblower Edward Snowden, who said the U.S. National Security Agency was spying on communications between U.S. citizens, sent shockwaves through the digital world. These communications, Snowden alleged, included confidential online data provided to the government by U.S. technology firms.
Global businesses that trusted their data to cloud servers in the U.S. started to panic about data sovereignty, the physical location of their data and the laws that apply in that region. Small and large companies are increasingly adopting cloud computing for their software, applications and infrastructure because it’s scalable, agile and affordable.
Some Canadian companies choose to store their data with cloud providers in the U.S. because they can offer the best services for the best price. This means their digital assets exist outside Canadian jurisdiction.
While it’s true this means U.S. authorities have the power to compel the cloud provider to hand over sensitive data, this is the case in most countries, including Canada. It’s not uncommon for countries to make cross-border data requests during criminal investigations and have them granted.
There are no international standards dictating data sovereignty across borders. Instead, there’s a patchwork quilt of national and territorial rules and regulations. Before trusting your data to the cloud, you need to do your homework, know your options for mitigating risk and pick the setup that works best for your business.
Do your research
Before choosing a cloud service provider, find out where their data centre is headquartered. Many cloud providers spread out data among several centres in different geographical locations. Research the laws and regulations regarding data in those locations. Ensure the provider will inform you if they decide to move your data to a new jurisdiction.
Take some time to check out the provider’s background, history of service and security credentials. Watch out for any mentions of high-profile security breaches or data centre failures, most of which would have been reported by media. Track down other clients who’ve been happy with their services.
If you know you’ll be dealing with extra sensitive health or financial data, find out if the provider has experience handling and protecting that kind of information. Not all data can be stored according to the same standards.
The Health Insurance Portability and Accountability Act (HIPAA) in the U.S. regulates the way sensitive health information is collected, managed and protected. HIPAA’s “security rule” mandates that enterprises implement specific administrative, physical and technical safeguards to protect “electronic protected health information.”
ISO 27001 is an internationally recognized information security management system (ISMS) standard. The standard dictates how any enterprise — big or small — should organize and manage the security of their electronic information through a series of objectives and controls. Ensure the cloud provider you choose has received ISO 27001 certification through an accredited third party.
Take steps to protect your data
Your data needs to be protected before it even gets to the cloud. If you’re concerned about data sovereignty, CipherCloud recommends encrypting and tokenizing your data, and making sure you retain local control over the keys. That way, if authorities request access to your data, the cloud provider must inform you and involve you in the process. You’re also free to change, rotate or destroy the keys completely.
The encryption also means the data, if accessed because of a security breach, will be useless to anyone outside your business.
Choose a provider that gives you a level of oversight and control you’re comfortable with. Many cloud providers will provide businesses with a dashboard that allows them to monitor and track their own data.
There’s no one-size-fits-all
Not all data needs to be stored in the cloud, especially if you’re new to this kind of computing. Your business might decide that only data that’s low-risk will leave the country. The rest can be stored in-house behind a corporate firewall.
Emails are a perfect example of data you might want to keep in-house. When you send an email, you have no control over the geography of where it lands once it leaves your servers. It’s possible for an authoritative body — like the NSA — to intercept that email before it even arrives. What you can control is where your email is stored.
Keep in mind that while weighing the pros and cons of trusting your data to the cloud is daunting, your data is likely safer in the cloud than it is in the basement of your company headquarters. On-site infrastructure is vulnerable to theft and damage or loss by fire or flood. An internet or power outage could lead to a sharp dip in productivity among your employees or the loss of valuable files altogether.
Make decisions based on the potential liabilities and the concerns of your own clients. You may consider choosing cloud providers inside Canada, although the options right now are limited and expensive. Even basic cloud services like DropBox and Gmail are located in the U.S. The Canadian Cloud Council, an advocacy group, is working to position Canada as a global leader in cloud computing.
The cloud solution won’t necessarily be the same for every business. As an IT consultant and Partner at TWT Group, I help businesses find an approach that works best for them.