The Patchwork Cloud: Breaking Laws You Didn't Know Applied

Wednesday, July 11, 2012

Rafal Los


GigaOM was running a summary wrap-up of their Structure 2012 conference and it raised some interesting questions, and should raise your eyebrows a bit.  

It would seem as though through the seemingly religious quibbling about how the cloud should be built and run there runs a recurring theme - legal implications of hyper-scale cloud computing.

Note: I just want to make it clear that I'm neither an attorney, nor am I offering you legal advice, but this topic simply begs analysis and conversation.

On the off chance you're running your business "in the cloud" you're probably starting to think about what my colleague Christian Verstraete calls "computing without borders".  

When all the servers you were using were physical and you could, on command, go and point to them - life was relatively easy compared to where we're going next.  From the article, here were a couple of speakers at Structure that mentioned "software defined data centers" (which is a new concept to me, admittedly) and the types of capabilities that super-agile companies are looking for such as completely deconstructing the physical server as we know it today.  

Are we on the precipice of seeing an extinction of the physical server?  Only time will tell... but there are more than just the physical vs. software implications here. In particular, what caught my attention is a piece at the end about how any organization using DropBox is probably breaking the law.  First reaction... what?!

After I thought about it for a while it makes perfect sense.  Dropbox allows you to store data in any way you please, and you can store medical information off a computer in Canada, which means it's stored in "the cloud", and you can log in from the US, or anywhere else in the world and download the data in the same format... data without borders.

I can only imagine how many organizations have Dropbox, or Box, or SpiderOak, or some other data synchronization service and are storing patient, secret, or proprietary data in the cloud while breaking corporate policy as well as national data laws.  This makes this type of cloud service both extremely beneficial, and dangerous at the same time.  

While you can't always account for your employees' actions, you as an organization will still be held liable for them.  The explosion of computing operations without physical boundaries and physical systems is bringing this entirely new level of change and confusion.

The typical security-minded reaction of "simply don't allow it" is invalid, I'll just say that straight off.  I can tell you that if you disallow cloud-based file synchronization services as a whole, on company assets people will find a way to be productive in spite of your policy lock-down, and will still get creative and accomplish the same thing.  

The challenges of dealing with a completely connected, ubiquitously computable world are that data can be moved, stored, and used anywhere and that the infrastructure that moves that data around is less and less under your control.  That's an interesting thing for information security professionals...

I see one solution, and one solution only to this problem.  Organizations must learn to protect data itself, not the systems or pathways on which it travels.  We've failed with DRM (Digital Rights Management) which is cumbersome, breakable, and largely ineffective - so what's the actual answer?  

I'm not sure... but it will be an evolutionary step forward in the way we as technologists see data.  This is a challenging time, and we need evolutionary thinking, not the same old draconian policies to keep our data and information safe.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Legal Compliance Cloud Security Enterprise Security Storage Cloud Computing Managed Services Data Center Liability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.