Personal Data and Cloud

Surprisingly each government believes that it can protect private data better than anybody else. As always, the government attention makes our life a little harder.

For the last 3 years, I have attended a dozen of events dedicated to Private Data in Cloud. If Cloud providers sponsored these events (catering better), speakers explained why Cloud fully complies for keeping personnel data. If industry associations organized them (cakes cheaper), than I would have a chance to listen to a ‘Snowden-like’ presenter who believes that all data are not safe, and in Cloud they are twice less safe, and keeping Personnel data in Cloud is madness.

Private Data legislation is severe in many countries. But in such markets as Russia and China sales teams of global Cloud providers use local requirements as a universal excuse to explain why targets have not been met.

Let me share our Russian story. The Moscow branch of Cloud Department is located just next to the Security Department of our company. We sell Cloud, and they sell security stuff: consulting projects, specific hardware and tools. So, I decided that I could offer as part of my Cloud deals as much deep Private Data projects as customers needed. As soon as the customer raised the topic of Private Data, my sellers invited a next-door security specialist who knew the subject very deeply and could offer consulting or sell hardware. Surprisingly, for the period of one year with a huge number of pre-sales we sold just two projects for our colleagues. In all other cases, customers after discussion with these specialists concluded that they do not have any specific tasks for Private data in Cloud. Something was wrong with my plan.

So, when do customers raise the topic of Private data in Cloud projects?

  1. The least often case, when customers indeed worry that data of their customers or employees will be more vulnerable in Cloud than in their own servers.
  2. The second and largest group is when customers are worried about compliance and potential audits from authorities.
  3. The last group of clients use Privacy as a reason for not going Cloud. Private Data, Connectivity and Security are most popular justifications for CIO who does not want to start a Cloud project.

I want to talk only about the second group as I have already written a separate text on security in Cloud, and ‘fake’ (in Tramp’s words) customers have nothing to do with Cloud.

Private Data legislation regulates how companies operate with data. In most countries, it is mostly about policies: how to collect, whom to transmit, who has an access, etc. In some countries, regulation also requires to use specific technical tools, e.g. in Russia compliance is more difficult as authorities demand national certification. Therefore, the list of tools required is even simpler than in some other countries, but all these tools should be certified by local regulators, to be able to work with many categories of private data. As the result, many international companies can not use the same systems that they use in their own countries.

All this stuff above makes companies’ life harder but this has nothing to do with Cloud. Moreover, for many customers to move personnel data to Cloud will be quite an efficient step, as many Cloud providers build infrastructures that comply with local requirements and customers do not need to go deeper on the technical side.

A more serious barrier is the requirement to store personnel data inside the country. For example, in Kazakhstan you cannot locate Private data outside its borders. As a result, local Cloud provider has extra customers. This geo limitation is the most difficult to execute as there are a lot of funny moments in implementation. For example, when citizens go to an embassy (e.g. US) to apply for a visa, they provide their data (even fingerprints) for examination. So, FBI checks if your fingerprints have records in their database. It is a little bit hard task to persuade FBI to bring this process outside US.

That is why in most countries the Personal Data regulation is not implemented in full. Each country has its own tradeoff about which authorities actually control it and which requirements are mostly declarative. Coming back to Russia, the regulator published ‘recommendations for the law implementation’ about Private data storage abroad that are much lighter than the law itself.