A particular story that gained popularity last week has really caught my attention and got me thinking. If you didn’t know a US Judge has just ordered Microsoft to release emails from servers stored in a foreign Datacentre (based in Ireland). The decision isn’t immediate and gives MS time to appeal, but it’s not looking good for those who think that data stored overseas is safe from the US government. This comes at a time when not many have forgotten about the revelations from Edward Snowden that the NSA and GCHQ have been helping themselves to all manner of data stored both abroad and locally.
As SharePoint people – who are being encouraged to adopt Azure and Office 365 – what does this mean for you? Will this change the viewpoint of the organization that you are working in? If this US ruling sticks, what’s the future for global US Tech companies in general? Is this decision so big that it will stifle the development of Cloud Services? Or, is it something that will eventually be circumvented by those who can afford to implement a complex network of international companies that can operate under different jurisdictions.
Thoughts?
Let’s be clear – in Germany it is against data protection laws to store personal data – including names and email addresses – on American servers located anywhere. The argument is that to do so means putting those names and addresses into a big NSA database. Not only can the data be misused by American government or law enforcement personnel, but it can also be stolen by people like Snowden or Assange and published on the Internet. Deutsche Telekom has even proposed creating a national Internet firewalled off somehow from the rest of the world. Don’t forget Germany is a country that experienced the Gestapo and the Stasi within a single generation and are less inclined to trust government than Americans seem to be…
If the court specified exactly whose account they wanted access to and for what reason – a pending criminal investigation, perhaps – then fine. But that is what Snowden was so irritated by, the generalized nature of data farming by Big Brother. They have no right to collect wholesale data.
Companies need to encrypt their data heavily, regardless of whether they are securing it from government or not.
As for the reliability of the cloud in general I think it will be one of the first things taken down if there is a global conflict of some sort. A giant is easier to kill than a thousand ant hills. China, Russia, the US, and other countries constantly attack each other in cyberspace so it is just a matter of time before some really large “cybernado” causes lots and lots of problems by taking down some large data centers.
Yes this is a huge concern which in my opinion has not received the serious attention that it deserves.
Microsoft knows that it blows a huge hole in the privacy of data stored anywhere in the world. This is why they are appealing the ruling. I do not think they will succeed.
I agree with other comments here that Cloud is perfect for many small businesses who do not need to store commercially sensitive information in the cloud. Office 365 allows them to outperform may larger companies without the overheads of employing specialised support people.
I also agree with comments that for larger companies a possible route is the hybrid model but this also brings its own risks. At the end of the day the most secure way to store critical data is to have a secure vault, guarded by armed soldiers, with no connection to the internet or to any other system. The only user would be someone who is given access to the room. USBs, floppy – any way of transferring data would be prevented. If a hard disk needed to be replaced smash the old one to pieces with a sledge hammer and shred the remains. There is no such thing as a 100% secure system.
So we have to take reasonable steps to secure business critical data. Opening up data to the Cloud is a big risk that has to be managed appropriately.
I also note that in recent weeks there have been repeated Microsoft Cloud outages with people unable to access for sometimes days at a time. I am getting tired of the Microsoft partner site repeatedly being unable to log me on – obviously cannot cope with the traffic so this does not bode well for the future as more and more people use the Microsoft Cloud.
Depends on how you define ‘sensitive data’. You could argue that even the audit history about a business process is sensitive. For example, from the SP Audit logs you could reveal that Joe Bloggs just modified ‘Bribe ACME Corp 1 million.docx’ which would be very interesting information for a foreign govt. In fact most data stored could be of some use to a foreign government for their own purposes. (Social, Email, Doc management, custom apps, etc).
I guess it all boils down to how you partition the data and apps and how do you enforce staff to work within the correct silo for the business business process they are performing. In reality this is a real mess and I think it’s so complex to govern that Hybrid (some local and some global) won’t work. Nationally regulated companies with nationally located data centres is going to win through eventually.
That is exactly why European governments and a big part of European big business (which is in large part dependent from the European governments) will never commit themselves fully to the cloud, at least not in the foreseeable future. Any SP service provider operating in Europe should take it into account.
Tomasz mentioned France, but I believe Germany has a similar policy, even enforced by law.
The only acceptable middle way would be for me a hybrid solution. The sensitive data must remain locally and other can be put in an EU-located cloud. Would that make sense?
