World+Dog hates PRISM: Cloud Security Alliance Edward Snowden's PRISM revelations will soon impact the balance sheets of US cloud vendors, according to the Cloud Security Alliance. The group claims the latest survey (PDF) of its 500 members suggests the NSA leaks would make more than half non-US the respondents think twice about hosting their data with American-based …
Snowden has helped bring the issue of jurisdiction of data under scrutiny.
If your cloud deal goes sideways and you have to lawyer up where do you lawyer up for?
The servers (which behind this "cloud" BS is what this about) are in some country with don't-give-a-f**k-about_foreigners-data laws? It all got scrambled but as the company is locally registered they are not liable.
Man-and-his-dog can look at your data or metadata (IE THE PATRIOT act)? That one would depend on wheather that database was shipped in and is "communications data" or the "communication" itself. OTOH if its a "business record" then it's straight over to anyone who flashes a federal badge. Still not our problem, Mr customer.
In principle migrating processing requirements to shared processing pools is an excellent business idea for any organization big enough to need that sort of horsepower. But this time I think the US has no advantages for anyone seriously concerned about privacy or confidentiality.
US intelligence agencies have shared information with domestic firms (of course only the "secure" ones) before.
I guess it depends on how seriously you take your business.
Fail because US cloud hosters don't seem to get it's their problem and it's up to the hosting company (which is what they are) to prove safety, and they cannot. As a working principle all your data sent to the US is literally property of the US Govt.
Snowden has helped bring the issue of jurisdiction of data under scrutiny.
If your cloud deal goes sideways and you have to lawyer up where do you lawyer up ….. Mr customer
These statements are a sort of weird mixture of half-truths, misunderstandings and falsehoods. Personally I am trying to work out if this is either just lack of knowledge, paranoia or deliberate.
As I have previously remarked if you don’t want your data seen by anybody else then don’t either put it on the web or in the cloud. Snowden has perhaps just highlighted an issue of which anyone with common sense would be aware. Ah gotta love the smell of fanbois in full flow on a morning:).
One question why do your posts always include randomly emphasised words?
…… processing requirements to shared processing pools is an excellent business idea for any organization big enough to need that sort of horsepower. ….. seriously you take your business.
If you are ‘big enough to need that sort of horsepower’ do it yourself. It will be cheaper in the long run, the service will be better and you won’t have worries about other people looking at your data.
Continuing in a familiar theme, this is not a new phenomenon, take a look at the ‘Dirty Tricks dispute between BA and Virgin from the early 1990’s.
Fail because US cloud hosters … it's their problem …. sent to the US is literally property of the US Govt.
It isn't their problem it’s yours if you let them host data that you don’t want to be seen by others. That said your data is not literally the property of the US Government. Other than the use of such data for Patriot the more normal international commercial law would still apply.
That said your data is not literally the property of the US Government.
They just treat it like it is. And probably do so even if the data isn't physically stored within US borders, even if such access goes against the local laws of where it is stored.
http://www.computerworld.com.au/article/413379/australian-based_data_subject_patriot_act_lawyer/
"Continuing in a familiar theme, this is not a new phenomenon, take a look at the ‘Dirty Tricks dispute between BA and Virgin from the early 1990’s."
Where a competitor who was also a service provider let Virgin use their system and abused their position of trust.
Thing is if I rent capacity off Amazon to run my catalyst design software for example Amazon don't have a catalyst design division and I'd think it in their interest to keep individual customers data apart. IOW I have a reasonable expectation of privacy (the link to and from them is another matter but there are other options for that).
But that rule goes out the window with the USG. THE PATRIOT Act puts my data in a direct relationship with the US government with no control over who sees it or what they do with it.
Under the rule of law in a representative democracy it's up to the state to prove that I'm doing something they should become involved with. I should not have to hope that it's too busy not to nose into my business basically because they can.
Your PoV only makes any sense if you are a)Very trusting in governments not abusing their powers b)Ignorant of how much information is being collected and retained or c)You paycheck depends on you being officially a and b.
I'll remind you that the internetwork was established specifically to enable remote researchers to gain access to high performance or specialist computing resources that they did not or could not do themselves. Again are you really that trusting or that ignorant?
But that rule goes out the window with the USG. THE PATRIOT Act puts my data in a direct relationship with the US government ……….. not have to hope that it's too busy not to nose into my business basically because they can.
The point I would make is if the US governments use the Patriot act what use can they make of the ceased information? Assuming that you were planning a terrorist act then obviously they might well find a use. If it was just information that might be of commercial interest to say a competitor then both the international laws on Intellectual property and indeed DPA would apply.
Now then you may have a point in saying that the subsequent litigation in the states could well be prohibitive in terms of both costs and time. But it isn't true that you have no control over the data.
Your PoV only makes any sense if you are a)Very trusting in governments not abusing their powers b)Ignorant of how much … officially a and b.
Now then this is quite interesting you seem to be accusing me of naivety? Let’s just compare what would happen with our two points of few. Say for example you and I developed a new super duper algorithm for ‘Airline Bookings’ (this would be topical to the Ed Snowden story).
I am assuming you would develop it on Amazon and store it on their worldwide cloud. Knowing that this could be worth money I would develop it on a local system and store it on a DVD in a locked drawer in my house (*1).
So for arguments sake the US government gets wind of our two inventions and decides that they want to get hold of the code to give to one of their local companies. What happens?
POV 1 – Yours they rip it off the Amazon cloud and it give it to the competitor. You then spend a few day’s bleating about how it is unfair, yada yada. Then get tied up in litigation.
POV 2 – Mine I guess they have two options:
a. they could try and steal the disk in which case with luck the CIA operative will set off the burglar alarm, get bitten by the dog and nicked by the local Fuzz. Hopefully all three.
b. They could perhaps accuse me of breaking into NASA’s web site whilst looking for UFO’s (which I haven’t even been near btw). Local Police get involved and for reasons that defy any sane explanation decide that I have done the dirty on US computers. Years later they get the code from my clammy hand in a US state pen….. Mind by then it is pretty useless anyway.
More likely the Local Plod tells the US that there is no evidence for the accusation.
It may appear that I trust democratic governments and international laws more than you, but the reality is that I accept the world as it is …. Coming back to the BA dirty tricks I thought that Virgin were totally insane to host their data on a BA system. Just as in my example above as I have said a few times before (until such time as it were a product and sold) it would be very stupid to put important information near the Internet.
I'll remind you that the internetwork was established specifically to enable remote researchers to gain access to high performance or specialist computing resources that they did not or could not do themselves.
Why remind me I know this :) in fact I have made this point in response to a previous comment by somebody bleating on about t defense organisations monitoring traffic on their own network. You could also go on to mention that these weren't just researchers they were in fact people working for ARPA which then got renamed to DARPA. The original back bone of the Internet at that time was called ARPANET.
Again are you really that trusting or that ignorant?
Oh yes .... No! but it would seem that you are?
(*1) preferably right next to where the dog sleeps on a night.....
"POV 1 – Yours they rip it off the Amazon cloud and it give it to the competitor. You then spend a few day’s bleating about how it is unfair, yada yada. Then get tied up in litigation."
No. Because under THE PATRIOT Act not only do Amazon have to give my information up to them they cannot say they have done so.
The only way I would know something had happened would be when my competitor got to market somewhat ahead of me
And as for litigation. Amazon could not even tell my lawyers that this data had been copied.
With no chain of evidence linking the theft through the government I am indeed just another "furiner" bleating about stolen IP. "It's superior US development. You're just a sore loser. "
But if you've been following this you'd know about the gagging nature of FISA. That it treats everyone like an OC figure who could make witnesses disappear, or a foreign spy with the resources of a foreign power behind me.
Again, you sound strangely well informed in some ways and ignorant in others.
That's why you come across as someone whose "ignorance" is paid for rather than real.
And BTW if you keep up the "bleating" comments you'll start to sound like Matt Bryant. People will start to think of one of you as a sock puppet of the other. You would not want to be thought a sock puppet, would you, Titus?
So in essence what you are saying is if you put stuff on either the Internet or on the cloud you leave yourself in a worse position than I described in my original response?
That being the case I can only conclude that the sensible either approach, or indeed PoV is mine. Don't put sensitive things on the cloud.
As I have previously remarked if you don’t want your data seen by anybody else then don’t either put it on the web or in the cloud
Agree on the Web thing, less so on the Cloud, plus you're ignoring the fact that data is sometimes shared between parties, which makes the whole jurisdiction thing a heck of a lot more complex.
I honestly wasn't expected a Snowden style disclosure when I wrote the Swiss private clouds article, but it appears eerily prescient now. The Op is actually right: you need to lawyer up if you want to do it right. I spend most of my time now helping larger organisations develop global privacy strategies which MUST start with the legal picture (otherwise you're frankly wasting your time).
There are a number of ways in which you restructure an organisation to shield corporate information from uncontrolled government snooping (to call warrant free intercept by its proper name), but you must start with making sure your HQ is not in a nation which has such legalised or you're wasting your time. If you can meet that basic first requirement, then there are a number of ways in which you can make a presence in multiple jurisdictions actually work FOR you.
Only once you fixed those fundamentals can you develop global privacy policies, and then acquire or organise the required technology to implement them. Notice that I use the word "privacy" instead of "security" - policies too must address laws, rights, compliance obligations - the hard work is usually bringing some structure into what is a complex mix of aspects that had a firm stirring since the intercept disclosures.
That doesn't mean those issues didn't exist before, but the awareness thereof has now finally entered the boardroom. I see that as a positive development.
My feelings on the one are if the processing and information are core to your business don't let anybody else near them. That includes putting sensitive information on the cloud, and indeed inter company transfers of information to any other territory. Don't even mention outsourcing/off shoring ... RBS anybody?
It chokes me to admit it, but if this has raised these thoughts as far as board level this is a positive development from the Ed Snowden fiasco.
My feelings on the one are if the processing and information are core to your business don't let anybody else near them. That includes putting sensitive information on the cloud, and indeed inter company transfers of information to any other territory. Don't even mention outsourcing/off shoring ... RBS anybody?
Now you've got a mighty point there. Yes, it's true; companies shouldn't be outsourcing critical corporate data into the cloud at all! Indeed the Snowden affair has raised concerns about this, but even if the USG didn't engage in snooping, companies should be wary of putting their bits outside. Fortunately the clients we've had in the financial sector know this as well, and as such nobody has even thought of doing the RBS "send all our mainframe management stuff to flaky Hindi provider" even before the RBS meltdown.
We don't need no steenkin' spooks ….. El Reger, Richard Chirgwin, 25th July 2013
That is an interesting notion, RC, which gives rise to the fact that they may be needing us* to provide them with the intelligence and projects and programming …. [Master Reprogramming of Freely Available Universal Assets and Sequestered Virtual Machinery aka Media Defined and Hosted [Pimped and Pumped] Infrastructure Product for Beta Bigger Picture Show Command and Control via Novel and Noble AI Means and Memes Supply of Future HumanIT Memory Bank Content] …. and hence the constant need for their present snooping operations and clandestine missions/pathetic phishing and phorming exercises.
Certainly all the intelligence evidence available clearly indicates that there is a significant intellectual property deficit in their content portfolio. And to who and/or to what is one addressing and referring to, whenever one considers who and/or what provides viable vital viral intelligence for future living and which would be their dodgy supplier and lead pusher man
* Another enigmatic ethereal epithet concealing the probable very well known fact, hardly ever truly acknowledged and admitted to, that just a very select and more intelligent and adventurous/mindless and dangerous Few rule and reign over us and everything under the sun and in planets and moons and stars, with the current present crop of that few being sub-prime and quite primitive and stuck in a queue and not fit for Future Great IntelAIgent Game purpose with ITs Myriad HyperRadioProActive AIMissions …. Ab Fab Fabless Programs and/or Pogroms.
However, there has been a recent radical and fundamental change which has introduced New SMARTR Virtually Real Players to the Great Games Play.
Stay tuned for more info anon as IT progresses.
PS ….. You are very slow off the mark, El Reg. One would almost think that you be retarded and quite content enough to follow the madding crowd rather than lead with a SMARTR AI ProgramMING. Such is though something which is easily fixed with an Intellectual Property Exchange and/or Information Dump.
However, American respondents to the survey don't believe the data sovereignty issue is going to dent their business, with 64 percent of those saying the Snowden affair isn't making it harder to conduct business offshore.
That's because many non-US organisations realised several years ago that in the US your data has no protection. Non-US organisations stopped using American based cloud services years ago. The clued up ones either never started or took precautions.
"64% of US organisations don't even realise that there is such a thing as the rest of the world. When a US company tells you they have a 'global solution', they generally mean that it works in New York and Los Angeles (and probably Toronto, but we haven't actually tested that)."
The MS ERP package (whatever they called it) is the shotgun wedding of systems bought from "Great Plains" of Fargo and a company called (IIRC) Navision.
Both were bought partly for their user base but I watched the Navision system switch customer prompts between languages with a single field change at start up.
Why? Because once you've saturated your home ERP market (Denmark or Norway, I forget which) if you can't adapt your software you're stuffed.
Quite a lot of US software seems built more like a Ford pickup truck than a Toyota.
We're moving away from all US based companies... mainly to demonstrate our displeasure, not because we 1) have anything to hide and 2) think it will make any difference.
Each company gets a call from me and asked "what is your companies position on our data in the US".
Companies that have had no answer have been :-
Rackspace
Paypal
Amazon
to name a few... As a non-US company based in Asia, we feel very strongly that our data has no place in the hands of US spies. Our way to fight this is in the wallets of US companies.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
