Don’t let drama over data sovereignty dictate a business’s IT strategy, warn experts on privacy and cloud computing.
Whistleblower Edward Snowden's revelations last year about the level of data collection and surveillance conducted by the National Security Agency (NSA) in the US renewed fears among Australian organisations about offshoring data to US-based cloud vendors.
Snowden's leaks indicated that the NSA was collecting data from Google, Microsoft and other major providers of cloud services. In response, some Australian cloud vendors have touted the fact that they are locally based as a selling point.
Businesses would do best to take with a grain of salt the sometimes emotional sales pitches from Australian and US vendors on either side of the data sovereignty issue, says Malcolm Crompton, managing partner of consultancy Information Integrity Solutions.
“Our advice has always been that each organisation has to undertake its own risk assessments,” says Crompton, a former Australian privacy commissioner.
“Do your work,” he says. “Do it calmly. Do it objectively.”
Spotlight on: Cloud• The rise of security-as-a-service
• Amazon vs. Google vs. Windows Azure
• Can Chrome OS challenge Windows in the enterprise?
• Red Hat CEO: PaaS is the new application server
There are risks that come with holding data offshore, but there are also risks keeping it within Australian borders, he says.
“There will be some use cases for on-shore service platforms, but it really is about comparing your current state with your future state, and your current state is not perfect.”
Gartner's Michael Warrilow says it is critical that Australian businesses have a plan with regard to data sovereignty.
“If they don’t, they’ll keep having this inconsistent and emotional approach to the issue,” the analyst says.
Instead, organisations should have a “repeatable method of identifying what should go to the cloud and what shouldn’t.”
“The vast majority of information that is protected doesn’t need to be,” he says.
“We’re not saying don’t protect and don’t use security, but it would be better applied if applied to the things that really matter.”
Civil Liberties Australia director Tim Vines says it’s “good practice for businesses to take an active interest in how their data is stored.”
Losing control of client data can cause great reputational damage, he says.
“While some companies may be able to bounce back from it, other ones will find it very difficult to maintain their client base.”
What about the NSA?
Snowden's revelations have shone a spotlight on spying by the US, but businesses must remember that other nations are spying as well, says Crompton.
“Part of the calibration is that the Americans are not alone in what they’re doing.”
The only differences between the spying that Snowden revealed in the US and what’s happening in Australia and other nations are that the US activity has been exposed and the Americans have greater spying resources, Crompton says.
“The issue really isn’t America. The issue is how many jurisdictions do you want to be exposed to, and is that a risk that you want to manage by not being exposed to so many jurisdictions, when the trade-off might be reduced costs.
“You cannot do this without considering privacy issues which in turn include compliance risk, enforcement risk and brand impact.”
Keeping data in Australia might not mean it’s safe from US spying. The documents leaked by Snowden have also revealed that the Australian Signals Directorate (ASD) has offered to share information about Australian citizens with the US and other countries.
“What’s quite interesting from all these revelations is what protection there is for information that’s collected by an Australian security agency [and] how easily that’s going to be shipped overseas,” says Vines.
In fact, says Warrilow, the Snowden revelations may actually lessen concerns about data sovereignty.
“There’s more transparency now,” he explains. “It’s demonstrable now that there are parties that can get at your data wherever it is.”
Whether a foreign government can access an organisation’s data is one risk to look at, he says. But with many of the NSA techniques disclosed, “there’s a much greater likelihood that a criminal element is going to leverage those same techniques for criminal activity.”
“Whether you’re in the United States or Australia, it’s really just a matter of how quickly can they break in and get your data?” Warrilow says.