Post-Snowden/PRISM revelations many enterprises (and governments) are increasingly concerned that foreign governments will request access to their data stored on international clouds, leaving them compromised. The most common response to this risk has been to push for 'national' clouds, where data is held within the country in question, run by local companies, and is (only) subject to national laws.
This is highlighted by new laws being drafted in Brazil, Russia and locally in certain EU states requiring that all data must be stored within the country. To try and assuage some of these fears, the likes of AWS, VMware and Microsoft have announced the construction of new data centres throughout the EU.
We spoke to Simon Aspinall, president of service provider business at Virtustream, on this subject, to find out more about these moves and what they might mean.
TechRadar Pro: Will this solve the issues with data sovereignty?
Simon Aspinall: In a word, no. Not the whole problem anyway. Data access is the critical issue to consider here. These new data centres will still be owned by companies based abroad, meaning that enterprises will still be vulnerable to judicial (over)reach from foreign governments. The clouds are still administered by nationals from foreign states. In many cases a high level of knowledge is required to prevent data being shipped around between data centres.
For these sovereignty issues to be comprehensively addressed, the data would need to be stored and managed by a national company. A global cloud provider like AWS/Vmware/Microsoft/Google will have to build at least two data centres in every country, employ local operators, establish a local entity and will still be subject to foreign government pressure/access.
TRP: How can this be implemented?
SA: A number of national telecoms operators and system integrators already operate cloud services and data centres. By enhancing these services (with security/compliance capabilities) they will be able to address the more sensitive enterprise and government workloads. Following this model, the national service provider manages the data, not an overseas company, and as a consequence it will be solely totally under the remit of national law.
TRP: Are there any other benefits of this approach?
SA: Cloud is immensely compelling for all businesses: scale advantages of multi-tenant efficiency, the improved dynamic agility it brings and improved security/compliance/backup (through shared experts) are immensely valuable. All businesses will transition a majority of their activities to the cloud over the next few years. Most CIOs look at the cloud initially for the economic benefits but discover the business agility is immensely compelling.
A locally implemented cloud delivers these benefits and tends to be perfectly tailored to local business (following local rules/regulations) and often a telecoms provider can better pair cloud with other services (network connectivity for example).
TRP: Are there any other options and will there be a shift in what enterprises look for from cloud vendors?
SA: Businesses may choose to take the option of implementing their own private cloud, removing the need for any third-party involvement. Typically this means adding cloud management software to an existing data centre/set of IT assets. This delivers the agility of cloud and provides some of the multi-tenant benefits (sharing applications/departments within a business or group). The pressures above will also drive a surge in demand for private/hybrid cloud software.
The type of cloud providers that enterprise businesses are looking to work with will also shift with the growth of national clouds. With concerns heightened over where data is located, many businesses are now looking for more specialist cloud providers to deal with high security, high compliance and an ability to support mission critical data. We expect more specialisation within cloud providers in the future (e.g. healthcare clouds, financial clouds, education clouds) tailored by industry.
Ultimately, the strategy that many of the global providers have adopted will only solve half the problem and not give the enterprise the safeguards they are looking for. Building new data centres around the EU will still leave European companies vulnerable to data requests from overseas. Only putting data in the control of national companies or implementing private clouds will provide a complete solution.