Data security, protection and privacy are big issues discussed in the cloud blogsphere. Last week Kevin L. Jackson asked this question on LinkedIn:
Are Cloud Computing concepts applicable in secure national security and law enforcement arenas (i.e. Defense, Homeland Security, Intelligence, Justice)? If so, how? If not, why? (Source)
The answers are surprisingly pro-cloud – only one person expressed concerns about regulatory problems that might arise with respect to data storage in the cloud.
My 5 cents:
In Germany we have the Federal Data Protection Act (Bundesdatenschutzgesetz). It defines the data protection laws with which public administration and private companies must comply. For example, if at least 10 of your employees work with personal data, your company needs to nominate a data protection supervisor (Datenschutzbeauftragter), who controls the company’s compliance with the national data protection laws.
There are also some clauses with respect to storing personal data in foreign countries. In November 2007 Amazon announced local S3 storage in Europe. The main driver was to provide better latency control for European customers, but for sure another reason is compliance with European data protection laws.
I do not say that data stored on a professionally managed infrastructure of, say Amazon, is less secure or protected than “on-site” stored data. In fact, I see more dangers coming from buggy implementations of badly designed software that is used in Germany’s public administration offices. However, national and European-level regulations might slow down the adoption of EC2, et al. here in good old Germany. Perhaps it is a typical German (European?) attitude as opposed to a more hands-on US-American way of doing things ;-)
July 3, 2008 at 4:13 pm |
Markus,
I’m a big fan of your blog. Excellent work.
One interesting aspect of this has been discussed over the last month or so on the Google Cloud Computing group, as well as on my blog: can you move computing geographically to leverage the best regulatory environment for the immediate task at hand? And if so, when is it better to move the data, versus move the compute job itself?
As I note in the groups thread, its about automating loopholes.
Nick Carr and Greg Ness picked up on the meme. Another (large) thread on the Google group explored the question of moving data vs. moving compute capacity.
What are your thoughts?
July 4, 2008 at 7:10 am |
James,
thank you very much for your kind words.
The idea of “follow the moon” or in this case “follow the law” computing is fascinating! I must admit, I have not followed the discussion you linked above very closely but I will try to catch up.
As I mentioned in my blog post German data protection laws are pretty harsh. This is also a problem for community-based Web sites, because they must fear to be sued if not caring enough about their user data.
I am not a lawyer, but here are some possibly interesting sections from the Federal Data Protection Act (Bundesdatenschutzgesetz):
§4b (2): [...] You are not allowed to transfer personal data to a third party if the person concerned has a legitimate interest in you not doing so. [...]
§4b (3): The adequacy of the level of data protection takes into account all circumstances assessed in the data transmission, like type of data, duration of the proposed processing, destination country, etc. [...]
§4b (4) and §16(1),(2) basically say that you might even have to tell the person concerned that her data is moved to a third party.
As I said, I am not a lawyer, so I am not sure if these sections really are relevant for the case described in “follow the law” (as you do not transfer data to a third party but only geographically from one location to another).
July 14, 2008 at 3:04 pm |
Hi Markus
Enjoying your blog (and your diagrams – what tool are you using there?).
The security aspects of Cloud Computing are pretty interesting I think. Some feel very similar to traditionally outsourcing (risk management by contract) and others feel ‘new’. From speaking with some of the providers, there is a long way to go before regulated entities can put regulated processes in the Cloud however as John M Willis keeps reminding us, there are lots of companies dipping their toes in the water (finger in the Cloud? ;-).
Anyway, I’m now a subscriber.
Cheers,
Craig
July 15, 2008 at 7:07 am |
Thank you, Craig. I added you to my blogroll, as well. Great articles on security topics!
Btw, I just use powerpoint or open office + gimp to draw the diagrams.
July 29, 2008 at 12:06 pm |
[...] An article about Cloud Computing in the German weekly ZEIT made me think of a recent blog post on data security in the cloud. Although the article is quite positive and describes Cloud Computing [...]