Few would argue the pervasive impact that cloud technologies have had in recent years. From accessing music and movies to retail consumption near and far, collaborative gaming and exercising and information and data access, cloud infrastructure, platforms and services have underpinned game changing technological disruptions.
Whether for convenience or novelty we’ve been happy to hand over our data to the imperceptible cloud, trusting as we typically do, the gatekeepers of the next digital inducement. That is, at least until now.
As cloud centric delivery models become integral to the modern IT operating environment, accompanied by the collection of more and more data of varying degrees of sensitivity, another more cautious trend has also started to emerge.
Research undertaken by IDC this year is throwing considerable weight behind previously anecdotal concern about where cloud data ‘goes’, how and where it is moved it, how it is stored and who can access it.
Research involving decision makers from public sector, financial services and health care industries globally, surfaced mounting concern about the vulnerability of confidential and restricted data stored in a commercial cloud – some 70% of respondents.
Their concern is not only that critical data may not remain on sovereign soil (45% extremely/very concerned), but given the changing geopolitical landscape, that it may be managed by US cloud providers (79%). Largely driven by mistrust of the US CLOUD Act, which can compel US owned/based cloud providers to disclose details of the data they host, the research identified that over 60% of respondents wanted a cloud service that provides complete jurisdictional control and authority over their data. Sovereign data locality or residency is not enough.
In line with expanding national data privacy and security sensitivities and tightening regulations (such as the GDPR in Europe, similar laws in the US, China, Russia, India etc and our own Hosting Certification Framework and Critical Infrastructure Bill ), data sovereignty equates to single jurisdictional control and legal authority over resident data. Importantly this includes customer data, support, derived analytics etc data and metadata that is expected to remain on sovereign soil.
The fact that users of a major accounting software provider were recently required, in accordance with the Privacy Act 1988, to disclose that the data held by their provider “. . . is stored on top-tier third-party data hosting servers . . . located in the United States of America “ and that “Information stored on a server physically located in the United States may be subject to the USA Patriot Act 2001, which allows broad access to the information by the United States Government” points to the sensitivity, if not potential tension, that is developing.
Whereas once insistence of (data) localisation and control raised the hackles of protectionism, the reality of todays digital and data driven world is that without the ability to ring fence, protect and control the protection of citizen data, the ability to manage risk and instil and grow trust in a national digital infrastructure, is simply undermined.