One of the greatest concerns around cloud computing is: where is the data stalled? At least, it should be. Should you not have put this question to yourself, then it’s time to do so. If it is not already too late of course, but even then, ask yourself this question. The reason I ask is that an IVIR report was published recently, that I’d like to draw your attention to.
One of my hobby horses while blogging is that an organisation should never proceed in ICT changes, just because it’s possible to do so and appears cheaper or better at first glance. Always think over the consequences first, before the negative side manifests itself. Having to make changes then is usually costly and troublesome, if it hasn’t hurt the organisation already in a serious way, e.g. financially, economically or through the loss of vital data or reputation.
This is not hypothetical. It’s certainly real. Data stored in the cloud could be stored anywhere in the world. Are you aware of consequences this may have? Who is able or has a right to access your data there, perhaps without you ever knowing? Does it matter to your organisation’s data if this happens or not?
In the study “Clouddiensten in hoger onderwijs en onderzoek en de USA Patriot Act” (Cloud services in higher education and research and the USA Patriot Act, translation WdN, click here.), by Amsterdam research institute IVIR, focusses on US and Dutch law. It gives a conclusive overview of choices and possible consequences, from a specific question stemming from higher education towards cloud services. What about other organisations, public and private?
To my mind the choices faced are basically the same. The foremost question should be: Does my organisation need to be in the cloud?, followed by: For what part of my organisation is it safe to transfer data to the cloud?
Not just because of the risk that a government starts an investigative process in the form of a legitimate search. This can happen in any country. Added to this specific topic should be questions on cyber security, privacy, digital espionage, physical security and the application of local laws and customs towards your data need to be looked into and answered before entering the cloud. And undoubtedly many more questions. Also you need to know who your cloud provider is (a part of) and where it intends to stall your data.
Don’t enter the cloud just because it saves money. Enter it because it adds to your ICT service in a positive way, after you made a well informed choice that is appropriate and proportionate for your organisation and above all secure. The cyber security of your organisation should be foremost in your mind before moving into the cloud. Better be safe than sorry.
Wout de Natris, De Natris Consult
Leiderdorp, 15 October 2012