'Collection geography'
It's all about compliance and 'collection geography'. "It is essential to know what customer data you are collecting and where it is being collected from so that data can be handled in accordance with the laws of the country from which it is sourced," says Krieger. "Transit rules will have to be adhered to, as well as in some instances national requirements for accessing the data."
It's also not just about where the data sits – who is authorised to access that region's data will also be critical.
"Does the provider provision you to a cloud that spans across multiple data centres?" asks Krieger. "If so, verify that those spanned data centres are in the right data regions – it's not uncommon that lower-costing carriers will perform spanning, whereas others are dedicated to specific and approved geo-locations."
Will multinationals have to use hybrid clouds and regional data centres?
Data politics may be in a new era, but the dust will have to settle on this one. The knee-jerk for a company collecting data on people in Europe may be to put all of its data in a local data centre in Europe, and that way remain compliant. However, it's more about how the cloud service provider in question handles that data in order to protect it.
"Data encryption is a key requirement here, as well as cloud security technologies including vulnerability scanning, intrusion detection, anti-virus and anti-malware that maintain security of the infrastructure that stores company data," says Krieger.
There certainly needs to be a new division of labour. One way is for an organisation to store data in private clouds in their own data centres, and use compute resources in the cloud, thereby sending the data up for processing, and immediately bringing it back down to store the output.
"To make this work, the companies will have to invest additional time and effort in cleansing it of all personally identifiable information before sending it out for processing," says Connaughton, who adds that they'll also look for private clouds that integrate easily with public clouds.
Is regulatory compliance becoming more important than cost reduction?
Cloud computing as an industry is maturing, with the early low-cost offerings subsequently making way for speed and agility. Hot on its heels is the current trend for regulatory compliance. It's not exciting, but it's here – and it shouldn't be ignored. But it's not everything.
"The really forward thinking companies are recognising that cloud computing can help them to achieve the regulatory compliance they require," says Krieger, who thinks that compliance should be viewed as a cost reducer akin to insurance. After all, no-one wants the audits, remediation costs and fines.
Many cloud providers, including Krieger's own company iland, generate the regulatory documentation necessary for compliance at a fraction of the cost of having an internal compliance team.
A more capable cloud?
What does it mean to protect citizens' digital privacy? That's something the EU and national governments are still working on an answer to.
"The different, and overlapping, regulations cause uncertainty for organisations," says Connaughton, but there's a more optimistic feeling that not only is data regionalisation possible, but that this is a chance for the cloud to prove itself as a highly adaptable customisable technology offering.
"Improvements for data security and auditing will also facilitate greater use of public cloud through the accurate classification and control of certain data types to ensure that local legislation is complied with and sensitive data does not enter a non-domiciled public cloud," says Connaughton.
Compliance with a web of data protection legislation won't be much fun, but in the long-term it should mean a more capable cloud.
