By Julian Box
Today, even the most ardent naysayers are coming out and proclaiming cloud as the only way to do computing. This is especially true in my own jurisdiction of Jersey in the Channel Islands.
With technology suppliers suddenly telling you to use cloud, does it really matter which one you use, who owns the service provider, and where it stores your data? The quick answer to all three questions is ‘yes’ – but let’s look at each one:
Is there a difference between cloud service providers?
This question is probably thought about the least. There are people and suppliers that believe only the large cloud providers can be trusted, but how true is that?
Take Amazon and Microsoft. They’re the largest cloud providers in the world today, having multiple data centres around the world with thousands, if not hundreds of thousands, of customers. However, they have one big, often overlooked issue — they are lock-in clouds. Sure, they have some great technology, but once you start using it, you can’t get out.
Their technology is designed to be proprietary — you have to use them and only them. Whether you use Microsoft’s Azure or Amazon’s AWS, their tools, utilities and APIs only work in their clouds. If you want to move, it will cost you so much money that it becomes prohibitively expensive to leave.
Most companies moved away from technology lock-in years ago, as it hinders creativity and innovation, while ending up costing more in the longer run. Look for a provider that is technology independent, providing the flexibility to move in and out of its cloud services without penalty.
Who owns the cloud service provider?
Does it matter whether they are based in the US rather than the EU, or offshore? Currently this is a very grey area and shouldn’t be taken lightly.
US-based cloud service providers are at the heart of several outstanding court cases in the EU. Microsoft is trying to stop a US government warrant against them for data held in Ireland (they have already lost the initial case and one appeal). The European Court is currently reviewing whether the Safe Harbor agreement (the agreement that the US and EU work under so that data on EU citizens held by US companies meets EU regulations) is still fit for its purpose.
Currently the best advice from legal experts is to not use non-EU owned cloud providers or use a locally based provider within your jurisdiction until these issues are resolved.
Does it matter where data is stored?
There are several reasons why data residency is fundamentally important. Firstly, most countries have laws about where you can store data, especially data that includes personal information. To ensure you meet these regulations, the best advice is —again—to make sure data is locally held within your jurisdiction or in the EU.
For offshore-specific businesses, most jurisdictions don’t have a legal requirement to keep data offshore, but many businesses will have client data that needs to stay offshore for compliance reasons, let alone client perception reasons. And then there is the very large and looming issue of the soon to be implemented new EU Data Protection law that will be putting enormous new burdens on businesses around data held on EU citizens.
This new law will also be coming to jurisdictions such as Jersey, as they will be required to have broadly the same laws in place to be able to trade with EU countries. This new law will also have a massive impact on US-based providers that will have to abide by the new rules, as well, simply having a data centre in an EU country will no longer suffice.
These examples are just scratching the surface. There are many reasons that choosing the right cloud provider is a critical decision and shouldn’t be undertaken without the due consideration it deserves.
With so many options, don’t be fooled into thinking that all technology suppliers are suddenly experts in cloud or that all service providers offer true cloud computing with free movement of data. And, with the laws around data protection changing rapidly, be certain that your service provider isn’t going to compromise your data protection obligations.
Finally, select a provider that truly understands cloud, security and data protection and places them at the heart of their offerings — ultimately a provider you can trust.