Net results: implications of data safety in the cloud are still up in the air

Who can get at your data? As companies gradually embrace various aspects of cloud computing, using software, services, and hardware located somewhere out on the internet, that question looms ever larger.

It’s no longer an issue of whether organisations want to use the cloud. Many are well on their way to putting at least part of their business activity there, meaning some of their data is held in a data centre somewhere. At the same time, few are fully gung ho cloud converts. Yet.

That ambiguity is reflected in analyst Gartner’s recently issued 2014 Hype Cycle. Hype Cycle, celebrating its 20th birthday this year, is a handy tool for picturing where emerging technologies sit in terms of acceptance and adoption.

On a graph depicting expectations against time, technologies go through five stages (if they last the whole cycle; many don’t). Phase one is the sharply climbing slope of the Innovation Trigger, followed by the apex, the Peak of Inflated Expectations. Then there’s a steep drop into the Trough of Disillusionment, followed by a gradually ascending Slope of Enlightenment which eventually flattens into the Plateau of Productivity.

Cloud computing is at the bottom of the Trough of Disillusionment, with Gartner predicting it will be in the Plateau stage in two to five years. In tech terms, that's not very far away. But it's distant enough that all the implications of moving to the cloud have not been thought through. Some of the more tangential concerns are only now becoming obvious, and urgent. Key among them is that question: who can get at your data? It's a huge business and personal issue, of serious legal and civil consequence. We are more aware of how much access surveillance agencies like the US National Security Agency (NSA) and the UK's GCHQ have had to our digital data.

As security expert Bruce Schneier said in a lecture for Dublin-based human rights organisation Front Line Defenders this week: "We live in a golden age of surveillance." That's thanks to the perfect storm of a very insecurely structured internet, alongside putting so much of our personal and business lives into digital format.

Data within borders

With Europe in an understandable post-Snowden snit about whether the US is respecting its greater data protection safeguards, some EU countries may require that citizen and business data remain within their borders. Germany in particular has led this charge.

At Oracle OpenWorld last week in San Francisco – the company's huge annual conference – one of its first announcements was two German new data centres.

It included the carefully phrased note that these “will provide cloud services to those businesses in the German market whose preference is for cloud applications deployed in Germany”.

As far as I am aware, this is the first move by a major US multinational to step up and address this new demand.

I asked new Oracle joint chief executive Mark Hurd about this. "There are many reasons . . . There are issues around data sovereignty by country. In some cases there's issues by industry – financial services and healthcare have significant regulatory issues that impact on how and where data can be housed and stored. So as a result, we've gone down the route of opening multiple data centres now in many countries," Hurd said.

“Our strategy has not been that we’ve wanted to build data centres all across the world, but the secular pressures . . . have caused [us to move] across many geographies and my guess is that we’ll move across many others in the future.”

He said although Oracle has data centres in multiple geographies, “we have one cloud . . . a single version of data capability.” But not one cloud, moving data from, say, that German data centre to one in the US.

Whether this is adequate to block access from the US, by security agencies or the courts, is up in the air. One US case demonstrates this: Microsoft is fighting a compulsion to hand over customer data held in its Irish data centre to a US court.

OpenWorld had one session on the emerging cases around cloud sovereignty issues, but it was off in a peripheral hotel. But the German announcement indicates at least some major US players do not want rain falling on their cloud business parade and will take EU concerns seriously.

Still, no one knows the definitive answers to the legal questions or whether national data centres will ringfence European data. Over time, case law will give new shape to the cloud, as it slowly floats towards that Plateau of Productivity.