Data sovereignty issues still weigh on cloud adoption

Large enterprises that embrace cloud computing for many tasks still refuse to use public cloud infrastructure for key jobs because of what they see as restrictive data sovereignty regulations.
These laws, which are proliferating in countries around the world, according to attendees of this week’s Forecast 2012 event in New York, mandate that a company keep a customer’s data in that customer’s home country. One oft-cited reason is to prevent that data from being subpoenaed by a foreign power (read: the U.S.)
And that factor is the biggest difference  between an enterprise’s virtualized data center and a public infrastructure as a service, said  Matt Louth, principal security architect for the National Australia Bank.
Multiple regulations governing where a company can store customer data means that multinationals have to field data centers in every country where they have a presence — a trend that flies in the face of the appeal of borderless clouds.
With these rules, the fact that data lies within the control of the enterprise is absolutely key, said Ian Lamont, IT security specialist at BMW. A photograph from a brochure can live anywhere, but customer data or the company’s crown jewels? No way, he said. “Companies don’t feel they have the relevant levels of control, management, visibility,” from their cloud providers about where data will be stored, he said.
It doesn’t help for a bank to hear its customer data will be in this European cloud “region.” Not specific enough.
Andrew Stokes, chief scientist of Deutsche Bank Global Technology brought up the same issue in another keynote Wednesday. “There are so many regulators and regulations — we need to be safe. Every geography has its own unique sector and laws.”
“We’re in 75 countries I think. We need a superset of all these regulations that makes sense and that we can comply with,” he said. His hope is that the Open Data Center Alliance that sponsored this week’s event can help with that.
One of his takeaways was that cloud service providers have to be able to meet regulatory obligations specific to the business sectors they address in auditable ways, he said. “Cloud customers must have the right of audit, we have to assess and assert that we’re meeting our regulatory obligations.” For them to be able to do that, they must have the documentation from their cloud partners.
This is a topic that will keep cropping up, including at next week’s GigaOM Structure conference. Unless and until the various rules and regulations converge or cloud providers can provide detailed assurances of exactly where data will reside, a good chunk of business will stay on premises or in private clouds
Photo courtesy of Flickr user Todd Ehlers