If you think the phrase “It’s in the cloud” means that your data resides on the internet and is thus accessible everywhere equally, think again. Most infrastructure-as-a-service (IaaS) cloud services share the same residence model as traditional hosting and outsourcing deployments – they live in specific datacentres in specific geographies. This means that customer data is generated and most likely stored in this physical location, giving it legal and privacy implications. Unfortunately, Forrester’s conversations with end users and vendors suggest that many organisations simply aren’t aware of where their cloud datacentres reside. This lack of information can be quite risky when the location of the datacentre triggers a number of privacy and data security requirements that – if not met – may just land you in jail, facing a stiff fine, or at least navigating cumbersome compliance requirements. While cloud can be a catalyst for the IT-to-business technology (BT) transformation, it can also be the most expensive project your company embarks on if you don’t have a solid strategy in place first. Security ultimately rests with you, the business – not the cloud provider. While most IaaS providers strive to secure their public datacentre cloud environment, they’re not likely to take responsibility for data protection and compliance. In fact, they take no responsibility for what you do atop their virtualized infrastructures and services. Infrastructure and operations professionals should expect to have to carry this burden when partnering with a cloud provider. The mesh of privacy laws might seem daunting, but they can be managed by realising that they are rules of engagement rather than business prevention tactics. They don’t prohibit you from using IaaS cloud computing; these laws simply require you to pay attention to where these clouds are actually located and choose providers that will help you meet your constraints.
3. Use the location that makes sense for the business While an important factor, don’t let privacy laws dictate how and where you conduct your business. If it makes sense for you to have a presence in the U.S. or China – do it. Just be mindful of the laws in those geographies and make sure to deploy your services in a way that will ensure compliance. This may mean setting up a series of hosting relationships (IaaS or other). You may alternatively establish channel relationships with other online providers that can cover these compliancy concerns for you. 4. Maintain the security posture of your application and data Businesses using public IaaS cloud solutions need to have a strategy to ensure security of OS, applications, and data. This includes keeping up-to-date security mechanisms such as anti-malware, eradicating vulnerabilities in your applications, and employing data security measures such as encryption to guard against threats to your data within the cloud. Follow the same security procedures you do for in-house applications, as consistency drives comfort.
Enterprises should expect privacy laws to get stricter in the near term, not simpler or more consistent. As technology innovations like cloud computing advance, many countries fear that if they don’t require local information storage, companies will build datacentres in adjacent countries where more favourable economics exist. Protectionist laws simply accelerate this transition because the country with the tightest laws becomes the most difficult to work with.
About the author: James Staten is a Principal Analyst at Forrester Research, where he serves infrastructure and operations professionals.
Response Summary
CIO Debate Part 9: Cloud computing is an alternative to outsourcing CIO Debate Part 7: Cloud computing will create three revolutions for CIOs
Full Response
Get involved
Express your views on the business case for Cloud Computing.
To get involved, contact the CIO UK LinkedIn community
