Saturday, July 2, 2011

cloud providers - patriot what?

There are at least 10 US cloud appliance* providers who are selling into the UK at the moment.

Some offer a 'European' region service based in mainland UK or Ireland

Example Region Location:
  • Rackspace - London & Slough
  • Amazon - Dublin
  • CenturyLink - London and Frankfurt

European Region - what and why?

The Rackspace and Amazon European appliance region is a way of reducing latency between the 'home' customers and the appliance.

In short, if you are a UK company and most of your web traffic comes from UK & Europe, then it makes little sense, to force all that traffic through a transatlantic web pipe to Northern Virginia

Another reason for a US cloud provider to offer European location, is to offset the argument that, using the cloud is off-shoring outside of Europe.

By creating jobs in London and Europe, both Rackspace and Amazon appeal to the desire of UK businesses to support some employment, in the country where they sell.

In Amazon's case there a tax benefit to their choice of Dublin - 12.5% corporation tax.

For more US cloud providers with a European region, consult the list maintained by CloudHarmony

Privacy, compliance, and National Security of a Foreign Government:

Here everything gets a little complicated.

Some preamble ...

Firstly, I do not intend to disparage 'the cloud' or any of the cloud providers, who have HQ and corporate tax base in the US.

Secondly I do use Rackspace & Amazon myself, in amongst a mixed pool of server provision.

Thirdly I operate servers in the UK and US - I believe that I am fully informed, and aware of the implications of hosting data in those locations.

I will not cover the patriot act in detail, however as a business, you should be aware of the following...
If you host data in the US or regional datacentre operated by a company having HQ and corporate tax base in the US, then your data is covered by the patriot act
What this means in effect is, that providing the US authorities can meet the oversight requirements, that Rackspace, Amazon, and Microsoft might be obliged to hand over any and all of your hosted data, to comply with an access request.

Quoting from a recent readwriteweb article:
Microsoft has admitted that it will hand over data to the U.S. government, if properly requested, even if that data is stored somewhere other than the U.S.

The issue, according to ZDNet's Zack Whittaker, is that because Microsoft is a U.S. company it has to comply with the Patriot Act, and that means handing over data that may be offshore. The same rules would apply to Amazon Web Services and any other U.S. based cloud provider that has servers overseas.
With server memory price decreasing, and processors getting more powerful, cloud datacentres are placing 50 / 100 / more appliances on each underlying host.

If just 1 tenant (cloud appliance) is subject to a seizure request, then the data of the other 99 tenants gets carted off with that server also.

Data protection act and Encrypted Data requirement:

In the UK there is a mandatory requirement to best practice security of customer data for every UK business, however to my knowledge data on company servers is not currently required to be encrypted.

Here we now have two things working against each other it seems.

Using a US headquartered cloud provider increases the requirement for server data encryption ... your customer data must be protected from all external access (disclosed or otherwise).

However the UK requirement for 'key disclosure' (RIPA part III) could be viewed as a disincentive to businesses use of encryption keys.

Employees who want to avoid personal responsibility for 'key disclosure', are probably going to be less willing to engage with US headquartered cloud providers.

Cloud providers with HQ in Europe:

To my knowledge UK, Germany, France, Canada have nothing even remotely close to the patriot act, and it's non-court order server seizure.

Here is a sample list of cloud providers:
  • Elastic Hosts ( [ HQ in Worcestershire ]
  • Memset ( [ HQ in Surrey Research Park ]
  • VMhosts ( [ UK plc with HQ in West of Scotland Science Park ]
  • (formerly [ HQ in London ]
  • CloudSigma ( [ HQ in Zurich, Switzerland ] 
  • OVH ( [ HQ in Roubaix in Northern France ]

Notes and Further Reading:

Rackspace operates data centers Texas, Illinois, Virginia, UK, and Hong Kong

The European Commission has recently been asked for an opinion regarding several of the points raised in this article.

In this article I have argued things from my personal point of view, here is a thorough counter argument, by SurveyMonkey, to some of the points I touched upon.

Just one comment on the SurveyMonkey blog article...
There is a distinction between applying for a warrant and court process, versus the FBI non-court authorised server seizures, that have happened under the banner of the US Patriot act.

2014 update: The recent case with Microsoft being ordered by a US court to hand over data stored on servers in Dublin illustrates the problem is still an issue 3 years after this blog post was first published.

Judge Preska quote: "It is a question of control, not a question of the location of that information"

I hope the message from this article is not Anti-cloud, as that is not my intention. If I were to repeat one line from this article as a summary it would be:
When choosing a cloud provider, do your research
If Scotland or Iceland manage to really sell and deliver the 'lower cooling' promise, then perhaps these locations might be future cloud provider HQ, or Regional datacentres.

No comments: