Data sovereignty and the dangers of hosting data outside of Australia

Hosting your data in the cloud offers several benefits for organisations, including easier file sharing among employees, easy remote backup and, in some cases, cost savings. But with the US Patriot Act, the DMCA and similar, storing your data with an offshore company may allow foreign entities to rifle through said data - without your knowledge.

Cloud is often presented as a cure-all for data storage, because it combines ease of access with low cost. In addition, cloud offers the seeming security of housing precious information off-site in purpose-built facilities not susceptible to natural disasters and power outage.

This perception has become so widespread that organisations, including many in government, are rapidly moving parts or all of their operations to the cloud. While there are indications that some of the large early adopters, like IBM, are reconsidering the parameters (they recently forbade employee access to Dropbox and Apple’s iCloud), the momentum to the cloud is unlikely to be stopped, because the imagined savings are just too attractive.

Two years ago, the federal government in the United States began to urge its agencies to embrace a ‘cloud first’ approach when it came to IT procurement. The goal was to lower costs, and today they are saving about US$5.5 billion every year. Given recent projections, if cloud first was adopted even more widely, those savings would rise to US$12 billion - almost the equivalent of NASA’s annual budget.

With numbers like this, it’s no surprise that cloud is becoming so dominant. It’s also no surprise that IT managers’ concerns are frequently shunted aside, especially when ‘hard’ savings numbers are weighed against security risks that are difficult - if not impossible - to assign a dollar figure.

But these concerns must not be pushed aside. Any organisation - government or private sector - that doesn’t become fluent in data security, is taking a sizeable risk. This is especially true if that organisation is based in Australia.

While there are numerous issues around cloud and data security, I want to focus on two of the most important: data sovereignty and the value of keeping things onshore.

Foreign law

There is a strong out-of-sight/out-of-mind component to the cloud. It might seem like stating the obvious, but when your data is in the cloud, it is actually a ‘resident’ of a particular country. As such, it is governed by the laws of that country and those laws might be very different, and significantly less friendly, than those of Australia.

Michael Chertoff, the former head of the US Department of Homeland Security, has argued forcefully that organisations that handle private data should keep it onshore. Chertoff experienced first-hand how quickly data sovereignty can devolve into a legal wrangle that puts critical and private information at risk. As a result of sweeping antiterrorism legislation, US law required that international airlines provide access to traveller information. From the European perspective, America was asking for protected information about its citizens.

This situation led Chertoff to conclude that data sovereignty and cloud goes well beyond protecting classified information and military secrets. He made a vivid point that can be applied to Australia: “At all levels of government, we store the working-day information that helps government function: email exchanges, calendars and the like. The scope of our government’s data holdings is as wide as the expanse and reach of government, and likely contains information that touches upon all aspects of American life [including driver’s licences, real estate data, birth and death records, etc].”

Chertoff was saying that it’s easy to forget just how big the scope of data storage is today. Some of it might be non-critical, but much of it is genuinely precious and needs to be treated like any other commodity. Where that commodity is stored and who has access to it matters a great deal.

Chertoff’s observations also apply to Australia, ironically in part because America’s own sweeping laws make offshoring Australian data in the United States something to avoid. Both the Patriot Act and the Digital Millennium Copyright Act (DMCA) have shown just how data stored in the United States is vulnerable to law enforcement intrusions.

The Patriot Act means that your data can be accessed and you probably will never know - in fact, in some cases, providers might not be allowed to tell their customers of such access. Moreover, US companies usually readily comply with even informal requests, known as National Security Letters (NSL), for such access to data.

Similarly, enforcement of the DMCA has led to dramatic cloud-shutdowns like the Megaupload case that should have made anyone using similar services reconsider moving to another data storage solution. After all, while Megaupload was targeted for music and video piracy, a study by Palo Alto Networks showed that the service had greater use on corporate networks than Dropbox, YouSendIt and Box.net combined - all currently seen as ‘legitimate’ cloud providers.

Moreover, US-owned companies will also be forced to comply with these laws even if they are housing data in Australia. But the reality is that there are many bilateral agreements between Australia and the United States. If the US wants particular data, that data will often be given to them on a silver platter, regardless of whether or not it is being housed in a US-owned data centre.

But the issue of data sovereignty goes beyond the United States. Many leading organisations are starting to recognise that the country where data is stored is critical. Financial organisations tend to be especially sensitive to these issues because of regulatory issues. Andrew Stokes, Chief Scientist of Deutsche Bank Global Technology, recently said, “There are so many regulators and regulations - we need to be safe. Every geography has its own unique sector and laws.”

A familiar environment

For most Australian organisations, there are substantial advantages to storing data onshore in an environment that is politically, economically, financially and even geologically stable and familiar. This involves business continuity (BC) concerns. After all, the organisation can better assess the robustness of data centres, especially when it comes to disaster recovery (DR) scenarios.

The Brisbane floods and the bushfires in Canberra drove the point home that you need your DR facilities in different locations, because having two data centres in the same geographical region can still lead to prolonged downtimes. But, again, onshoring allows for the organisation to assess the best approach from a DR angle.

Additionally, on-shoring permits organisations to benefit from strong local security certifications such as ASIO T4, DSD HP and PCI DSS, which are essential for the highest level of data protection. The ‘human factor’ and physical proximity is also critical. It matters that an organisation can see where their data physically resides, that they can visit data centre sites, get to know the people delivering their services and have access to senior engineers in their time zones.

Arguably, the starting point for data security begins well before you start worrying about data sovereignty. Government agencies and any organisation with sufficient reason to care about data security need to know that:

• data is being identified, classified and protected both physically and electronically;
• any person who may handle the data has appropriate security clearances;
• there is a defence-in-depth strategy in place;
• threat detection and response, not just data protection, is practised; and
• the three postulates of security (confidentiality, integrity and availability) are being enforced.

While most, if not all, onshore cloud providers will fall down on these counts, those organisations that are scrupulous about their data can and should find private cloud providers that can meet their rigorous specifications. The cost might be higher and the ROI difficult to calculate, but data security means too much to be lost in the current rush to the cloud.

*Carlo Minassian is the founder and CEO of earthwave, an Australian provider of managed security services, security-as-a-service and ‘clean pipes’. Since starting the company in 2000, Minassian has helped establish earthwave as a security service provider serving hundreds of Australian businesses. He and his team blog at http://www.earthwave.com.au/blog/.