The cloud technology landscape has grown more complicated and more fraught with FUD in recent months. This is being driven by the ever-changing landscape of data residency and data privacy laws, and the growing mountain of revelations of government agencies demanding cloud service providers (CSPs) to hand over private consumer and enterprise data. For markets outside the United States, fears are particularly strong that any data stored on US soil or by US-based CSPs is vulnerable to NSA surveillance.
Some CSPs headquartered outside the US are leveraging these fears to push a model of domestic-only data centers as a way of addressing the cloud computing risks surrounding data residency and privacy. North of the US border, for example, “German software giant SAP announced plans to open its first Canadian data center,” a decision made to “help the company accommodate Canadian customers looking for in-country SAP cloud solutions,” as Business Cloud News reported recently. In fact, according to IDC research, a whopping 60 percent of Canadian cloud customers prefer their cloud services “to be delivered within Canada”.
ON THE FACE OF IT, KEEPING CLOUD TECHNOLOGY AND SERVICES DOMESTIC DOES APPEAR TO SOLVE SOME PRESSING CLOUD COMPUTING RISKS AND DATA RESIDENCY ISSUES. OR DOES IT?
Unfortunately, the concept of cloud services constrained by national borders—sovereign clouds, as some call them—creates more problems than it solves, and it may not even solve the problems it claims to particularly well. Let’s take a look at some reasons why.
In the first place, one of the key benefits of cloud computing, particularly for large multinational enterprises, is its ability to consolidate data, unify operations, and standardize business rules, workflows, approvals, and visibility across the entire global organization. Splitting cloud services up by nation will end up creating too many silos as providers in each country adopt their own systems. And organizations don’t even have to be particularly large to suffer the consequences of these silos. Additionally, cloud providers could never fully meet multinational customers’ demand for a domestic data center in every country in which those customers have operations.
When it comes to fears of government surveillance, meanwhile, cloud customers anxious about US government surveillance should keep in mind that keeping data off of US shores will not mitigate that particular cloud computing risk. Those non-US CSPs will simply be classified as foreign entities subject to surveillance, and there may be even less transparency and less accountability around surveillance of a foreign CSP than there is around data requests to US-based CSPs. As far as insider threats and data leaks go, meanwhile, DBAs and other sysadmins with access to sensitive data pose the same risk no matter what country they call home.
Ultimately, the sovereign cloud model cannot solve the cloud computing risks created by data residency and government surveillance issues. CSPs pushing for domestic-only clouds aren’t thinking through the various implications of their actions. The cost associated with opening more and more data centers and hosting entire SaaS applications within each country would be prohibitively high, reducing or even eliminating the cost benefits of cloud technology. Effectiveness and agility drop, too.
The risks of government surveillance and forceful data disclosures are very real, but focusing on infrastructure locality isn’t the solution.
What do you think? Tell us your opinions in the comments.