Don't leave home before you've seen the country

Blog author: Sean McDonald (Former ICONZ CEO)

Data sovereignty: the MANY risks AND PERILS of assumption

An IRD alert to New Zealand businesses warning that "only records stored in New Zealand-based data centres comply with record-keeping obligations" highlights some lax attitudes towards cloud vendors. Now then, before you step on the boat and head offshore for cloud computing services, take a careful look.

A worrying trend in cloud computing is the way providers cloak themselves in secrecy with customer security and privacy as an excuse. They store third party data behind a virtual wall that enables their customers to select server capacity and pay for it by credit card or some other means, but aren’t always upfront about where your data will be hosted. In my opinion, that detail is so important it should be known to both parties.

By now, almost everyone knows cloud computing democratises technology and enables business transformation. But your process for selecting a cloud service provider should be as rigorous as choosing a vendor for any other IT implementation. Don’t be lulled into a false sense of security by those who say the beauty of the cloud is that you don’t know where your information is. Baloney!

ird says ....blah blah blah...pay attention though!

The Inland Revenue Commissioner’s recent alert about cloud computing turns the spotlight on customer attitudes to the cloud and the need to be clear about where your data is stored, if for no other reason than to fulfil your organisation’s legal obligations.

The purpose of the Commissioner’s alert was to inform businesses that only financial records stored in data centres located in New Zealand comply with the record-keeping obligations of the Inland Revenue Acts. The IRD says it’s concerned the use of cloud computing may mean businesses are not meeting those obligations.

Section 22 of the Tax Administration Act 1994 (more blah, blah) says New Zealand businesses have to keep sufficient records in New Zealand to enable the commissioner to readily ascertain information about their tax affairs.

Now then....

My advice to businesses evaluating cloud providers is to seriously consider hosting all intrinsic information — such as financials and intellectual property — with a New Zealand provider. But of course you would say that Sean!. Well, as a once business owner of many years and now CEO of ICONZ  I certainly would not be comfortable hosting that information outside New Zealand. I’d want to go further than seeing a website with a few photos and a verbal assurance that my data will be stored onshore before choosing a provider. No question about it.

Cloud providers may give their customers the impression that they’re hosting their data onshore — and may indeed do that for a time — but this industry changes quickly. How can CIOs and IT decision-makers ensure their data remains within national borders in the long term?

Make your service level agreement count

Enter negotiations with an exit strategy: If you give your data to this provider, how will you get it back, what happens if it goes out of business? What happens if you want to switch providers? You might not be parting on the best of terms, so who actually owns the data in the event of a termination? Be sure there’s a clause that makes this clear. Some agreements go so far as to change ownership of the data.

It’s impossible to guarantee the physical location of your data without entering into a service level agreement (SLA). In many cases, cloud providers work on a “best efforts” principle, and that isn’t good enough. But even an SLA is useless unless monitored and reported on regularly.

Remember, too, that unless you’re a large organisation or government agency, SLAs with overseas providers are largely unenforceable because the cost of mounting a legal campaign against them would be prohibitive.

Be clear about the warranties in the SLA regarding provider liabilities in respect of your data. If your provider merges with an offshore company, your SLA has to protect your information and explicitly state where it is to be held in the future.

Don’t leave anything to chance

As reported recently in Computerworld, members of InternetNZ discussing the IRD’s alert have expressed concern that moving financial data to New Zealand may not be effective or efficient for businesses with overseas customers. Yes indeed.

But what controls do companies with offshore cloud providers have over the end use of their information, the resilience of the data centre, its employees and the rule of law in the jurisdiction that would apply to any conflict that may arise?

The questions you’d ask of a prospective provider should be no less rigorous than those you’d ask about an on-premises system. If you were about to invest in a new system you’d undertake due diligence upfront. CIOs shouldn’t stop applying the level of rigour they customarily apply to projects just because cloud is the trend of the moment.

Don’t leave anything to chance. For example, don’t assume data in the cloud is automatically backed up or that it’s stored offsite. Ensure your data remains secure in the cloud by evaluating how the provider’s backup routine works, whether backups are stored offsite and what their business continuity plans are. You should be able to select data retention policies in your SLA.

The reputation of your provider is probably the most important factor. Do the research. It won’t take long to identify a shortlist of three providers. Trust is a critical factor in cloud computing success. You might decide to commission an independent security audit.

One benefit of choosing a New Zealand provider is jurisdiction. Your SLA is enforceable under New Zealand law and, typically, there’s a better match between the resources of both parties to the agreement.

Meanwhile, the IRD has cautioned that if taxpayers are thinking of using cloud computing services they may need to obtain an assurance from their service provider that their data will only be stored in New Zealand data centres and be able to guarantee availability of their financial records.

Cloud infrastructure in New Zealand is currently limited. Many New Zealand providers use overseas data centres to host their customers’ information.

AND NOW FOR THE PLUG......but of course!

ICONZ not only hosts its cloud infrastructure and backups exclusively in New Zealand but also retains direct control by managing its own onshore data centres. Customers interested in our cloud computing service VERSA can interrogate the credentials of our staff. Many if not most cloud providers do not provide that level of transparency.

What we’re doing may be a departure from the international trend of secrecy around cloud services, but I would urge you to subject all cloud providers to this level of scrutiny. Where your data is held should be stipulated in your SLA not only to pacify the IRD. Demand that your data be held in New Zealand for your own peace of mind, and hold your provider to it.

Working in the cloud brings organisations real tangible benefits but it also raises questions, and it pays to ask them. Don’t rely exclusively on what one vendor says: there are enough independent consultants and cloud experts (sad but true!) in New Zealand who can provide you with sound advice. Engage with the cloud community to make the right decision and remember the old advertising slogan....Don't leave home before you've seen the country....and ICONZ of course!