Small businesses have been quick to adopt cloud computing. For the nimble sole trader, or the agile start-up, the cloud presents obvious advantages. It’s affordable, and it can be deployed instantly. It scales without effort. And there’s no need to assign the airing cupboard as a makeshift server room.
For larger businesses, adoption can be fraught with problems, mainly because of compliance and governance. The cloud is not an inherently risky technology, yet many gatekeepers fear handing control to a third party.
Risk mitigation is all about knowing where data is stored, and understanding the means by which that data can be accessed. Cloud storage is not a compliance risk, but you should understand where your data is resting.
Boundaries and Laws
As many medium and enterprise clients ponder the finer points of cloud adoption, they often miss the bigger picture: where the data is stored. This problem was highlighted with the US Patriot Act, a piece of legislation that as arguably slowed growth in the US cloud market.
The Patriot Act was brought in to scupper terrorist communications in 2001, and it effectively gives the US government free reign over data that crosses its boundaries. This is quite an odd concept, since data is often thought of as being transmitted in a fairly random way, and without any regard to date lines, borders or continents.
In essence, the US government can intercept any data transmitted on a US network. It can also intercept data held by a US company. It’s effectively a very broad digital search warrant, and it affects the cloud because of the way cloud data is distributed.
Is It Risky?
In the US, some see the Patriot Act as being unconstitutional, but that argument is out of scope here. The real issue for internet users is access.
If you use a US cloud provider, your data will cross the boundary into US territory. For businesses, this could be seen as an unacceptable risk. If your IP is viewed by a third party, this could violate legal agreements, non disclosure agreements and contracts you’ve got with suppliers.
The US government has, in the past, demanded access to data stored in Europe because of the company’s links with the US. Microsoft was one target, in April 2014; its Irish data centre was subject to a federal court judgement.
Like With Like
Every country has privacy laws, terrorism laws, and ‘snoopers charters’. The Patriot Act is not unusual, and there are very good reasons for governments to access data in some cases.
However, if you’re in the UK, and you only do business here, it’s safest to stick with UK cloud providers. At the very least, you should try to keep your data within the EU, if only so that you know who can see it.
If government agencies have good reason for asking to see data, responsible providers will oblige. Naturally, that’s the way it should be. But it makes sense to choose only the most appropriate locations to store data, geographically speaking. And it pays to research the law before choosing your next cloud provider.