Let’s face it: When you commit to a public cloud provider, your data is out there. Somewhere. This basic fact of life has cloud adopters, as well as the cloud curious, grappling to understand exactly who can access their data. Is it safer to store data with cloud providers in certain geographic locations rather than in other areas? Is Big Brother really watching?
In a recent study by Hogan Lovells, a global legal practice for corporations, financial institutions and governmental entities, Christopher Wolf, co-director Privacy and Information Management, examined the extent to which governments in various jurisdictions can access data in the cloud -- regardless of where the cloud provider is located. “A Global Reality: Governmental Access to Data in the Cloud” details the truths, user misconceptions and some downright dirty advertising tricks of some cloud services providers.
Does the Patriot Act really give the government the right to tap into your cloud data? Or are cloud providers outside the U.S. misleading customers for their own gain? SearchCloudComputing.com sat down with Christopher Wolf to find out.
Can you give me an overview of the study and how you became involved in it?
Christopher Wolf: We represent companies who are active in the cloud computing space, and specifically we have worked on the issue of governmental access to data. That inspired us to speak with lawyers in our firm and other firms around the world to get an understanding of what the situation was with respect to law enforcement and national security access to data in the cloud -- and then we compared that to the U.S. situation. Based on that, we concluded there is governmental access equal to, and in some places, greater than that which exists in the U.S.
What are you hearing are the major data governance concerns of companies moving to cloud?
Wolf: The fact that companies choose to put data in the cloud does not relieve them of their privacy or data security obligations. So they want to make sure that by using a cloud provider, they’re not exposing data in a way that would surprise them or their customers. It’s a question of control, being aware of what exposure there might be and being in a situation to try to reduce that exposure.
Are companies using public cloud services nervous about data governance? If so, are they holding onto certain types of data?
Wolf: Companies are going to have to make judgments on how they use a cloud service. One way to use a cloud service is to encrypt the data before it goes into the cloud and not provide the cloud provider with a key. That’s universally regarded as a way to protect the data from unwanted access. And then there are certain types of data companies decide they will keep within their own four walls because they believe that’s a better way to have control.
Do you recommend cloudsourcing one type of data versus another?
Wolf: No, because the judgment will be very fact-specific. But we certainly don’t think fear should control those judgments. In many ways, the security a cloud provider has could be greater than a company’s own security – both physically and technologically.
In the study, you mention you can isolate data in the cloud using specific providers. Is there one provider you recommend?
Wolf: We don’t make vendor recommendations, but we want people to understand that if a cloud provider in Europe claims that by using its services, data is somehow immune from governmental access or better protected than it would be if placed with cloud providers in other jurisdictions, that is misleading.
What are the data governance differences between the U.S.-based cloud providers and those in other countries?
Wolf: In some countries, voluntary turnover of data to the government is possible. And that’s not possible under U.S. law; there are tight restrictions on the kinds of processes and reviews that need to take place before data can be turned over to the government. That’s a stark contrast for companies to be aware of. That’s one of the primary findings of our study. The degree of access outside the U.S. can be actually greater than within the U.S.
Do you find there are a lot of misconceptions surrounding data governance in the cloud?
Wolf: A lot of companies have misconceptions about the vulnerability with U.S.-based cloud providers versus cloud providers elsewhere in the world. That has been generated first by misleading marketing campaigns of some cloud providers in Europe, and by the general notion that privacy and data security is ‘better’ in Europe than the U.S. In fact, governmental access irrespective of the commercial privacy framework is equal to or greater than the U.S. access in Europe and elsewhere around the world.
What advice do you have for companies concerned with data governance when evaluating cloud providers?
Wolf: There are a number of ways to evaluate a cloud provider; a preconceived notion that U.S. cloud providers are more vulnerable to governmental access of data is simply wrong. That should not be criteria used in selecting a cloud provider.
One of the benefits of cloud services is that there can be distributed computing, so putting geographic restrictions on distributed computing may not allow a company to take full advantage of the cloud. But that’s certainly something that can be negotiated in the cloud service-level agreement (SLA), if necessary.
As a general matter, the more sensitive the data that’s being outsourced to the cloud, the more care needs to be taken in terms of the contractual arrangements with the cloud provider and understanding what security is provided. And a clear delineation of the obligations of the cloud provider should be obtained.
What surprised you most in these findings?
Wolf: Our study found that governmental access is equal to or greater than that in the U.S. But the Patriot Act is being used as a scare tactic by cloud providers in Europe unreasonably; we saw campaigns by some cloud providers to this respect. In fact, they were of such concern that the EU Minister of Justice Viviane Reding took them to task for that kind of marketing. We don’t know firsthand if those types of claims are being made by cloud providers in Japan, for example, which is one of the jurisdictions we studied. But it wouldn’t surprise us.
Michelle Boisvert is Senior Site Editor for SearchCloudComputing.com. Contact her at firstname.lastname@example.org.