In June, I attended three cloud events in 10 days: Cloud Expo East in New York City, Cloud Ecosystem in Frankfurt, Germany, and IBM’s ISV Executive Summit in Stuttgart, Germany. Prior to these events, I prepared to be inundated with questions about IBM’s intent to acquire Softlayer. But the more recent current events related to the Prism Scandal turned almost every conversation into a discussion about data privacy, security, and cloud computing.
The Europeans interpreted the events very differently from the Americans. In the US, the conversation focused on who was responsible and the whereabouts of Edward Snowden. In Europe, the conversation was about the outrage of learning that data—really any data, anywhere, anytime—is accessible by people with the right credentials. At least in my meetings and conversations, Americans were less focused on individual freedoms than the Europeans.
In Europe, there is strong consensus that the best way to control access is to maintain the data in country. Germany, with some of the strictest laws around data privacy, is viewed as a good location for any data center that supports the European Union. But sometimes, even when the data sits on a disk in a data center in a given country, the owner of that data center might employ administrators from other countries, like maybe India, to maintain that system on a regular basis. So while it’s important to know where the data sits, it’s equally important to know where the administrator sits.
More importantly, there are basic data security policies that apply regardless of where the data resides. Is the data encrypted? If so, at what level and who holds the encryption keys? These are the same questions organizations should be asking, whether the data is on the CEO’s laptop, in a secured data center, or somewhere in the cloud. Good data security policy transcends any technology infrastructure, even cloud computing.
There are articles telling us why the Prism program portends the end of cloud computing, and there are articles telling us the very same program will lead to growth in cloud computing. And there are articles telling us that we shouldn’t worry about government spying anyway when we so freely give our personal information away to social media sites and online marketers.
Whether we’re talking about government sponsored surveillance programs, online marketing, or illegal hacking, the warning is the same: as individuals we need to be vigilant about who is maintaining our online data and how. And as technology vendors, we need to ensure that our policies and practices are well designed, transparent and audited.