Three ways to ensure your data stays in your home jurisdiction.
Cloud computing is highly attractive to businesses of all sizes because it allows them to use technology without having to pay for servers to run it. Buying computing services from professionally run IT companies is often cheaper, more secure and more flexible than buying and maintaining your own collection of servers.
But plenty of business owners are still reluctant to trust a third party with the computer systems that underpin a business. From NSA wiretapping to the outsourcer’s own staff, it’s hard to overcome the feeling of a loss of control when your precious data is flying around the internet, often to overseas data centres. Also, government regulators have ruled that some types of information, such as medical data, must not leave Australia.
Cloud computing specialists are divided over the importance of data sovereignty or data residency.
“Some users are very well addressed of the issues, others are still learning,” says Aidan Tudehope, managing director of hosting at Macquarie Telecom, an Australian technology and communications provider.
“There have been very strong statements from the European Union and the Netherlands that data must stay in the country. They have been debating it with greater depth and for a longer time than in Australia.”
“Security of the data is the primary concern and as long as your systems are secure and meet those requirements then data sovereignty is less of a risk,” says Andy Pattinson, sales director for Cloud Sherpas, a global IT consultancy working with governments and enterprises.
It is still possible to use cloud computing while keeping your data onshore. Below are three ways to ensure your data stays in Australia.
CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.
1. The cloud is coming to you
The giants of cloud computing are slowly opening up data centres in Australia. Amazon Web Services, the world’s largest virtual-server provider, opened a Sydney data centre for Australian customers in November 2012. Apart from virtual servers available for several cents per hour, businesses can also backup data and archive old files for 1c per gigabyte a month – cheaper than backing up to tape.
Amazon competitor Rackspace is also looking to open an Australian data centre, with rumours that Google and Microsoft are not far behind. The latter two offer cloud productivity suites that contain applications for creating and sharing documents, spreadsheets and presentations, as well as online file storage and communications tools.
Some business owners will be satisfied that while there is no longer a server blinking away in the corner of the office, at least the data is still in Australia and subject to Australian laws.
2. Encryption within the cloud
Cloud computing is quickly becoming the default way of buying applications, even for the largest companies. While cloud software (or software-as-a-service) uses sophisticated security techniques such as bank-grade encryption to protect customer data held within their systems, enterprises are looking for greater control.
Encryption requires one organisation to hold the keys to encrypt and decrypt the data and when cloud software companies encrypt your data for you, they retain the keys and can decrypt it themselves.
Several security companies are giving businesses the ability to encrypt their data before it is sent to the cloud so that cloud software companies can’t read it. Enterprises prefer this approach because they retain the encryption keys and the responsibility for encoding and decoding the data.
The encryption server sits in a company office and acts as a gateway for all data passing from the internal network to the cloud.
Government agencies in the US and Australia can legally request data held by IT companies, including cloud computing vendors. But if the data is encrypted by the business first “the cloud provider can’t turn it over to the government because all they’ll see is gibberish,” says Paige Leidig, senior vice president of Ciphercloud, an encryption vendor.
The technology is relatively new and it doesn’t work with all cloud software, but major programs such as Microsoft Office 365, Google Apps and Salesforce.com are covered.
3. Trusting in tokens
In theory, encryption can be cracked by using a very powerful computer or network of computers to reverse engineer the algorithm. (Some perspective: computers powerful enough to defeat today’s encryption have not been invented yet.)
An alternative to encryption is a newer security technique called tokenisation. This process replaces data such as credit card information, a birthdate or address with a token.
There is no underlying relationship between the token and the data itself and therefore no key or algorithm to reverse engineer, says Mike Morrissey, chief technical officer at Perspecsys, which sells tokenisation software.
In theory, encrypted data can be hacked by conducting a “brute force” attack which generates millions of passwords in an attempt to find the right one. While it would take thousands of years to crack bank-grade encryption with today’s computers, governments are trying to create quantum computers that could crack encryption in a far shorter time.
Tokens are better suited to meeting regulatory restrictions on moving data overseas, Morrissey claims.
“With tokens, the data isn’t embedded in there somehow. With encryption it is. The risk is out there with encryption, especially if you don’t use strong techniques. You can’t brute force against a token.”
Sholto Macpherson is the editor of cloud software news site BoxFreeIT.com.au.