For the last few years, companies have talked to me about their concerns and fears around cloud security, particularly public cloud models. Yet, we've reached a point now in which drug companies are running drug trials in the public cloud, the government is beginning to leverage the cloud, and providers like Amazon Web Services can demonstrate that their cloud is actually more secure than an enterprise's individual data center. After stripping away the emotion and almost-religious arguments about where data should be, it's clear that concerns around security are more of a perception issue than an actual problem.
Rather than easing up, however, security conversations have raised a new concern: data sovereignty. Essentially cloud security plus politics, data sovereignty regulations require that companies keep confidential data in its country of origin or severely restrict housing it outside the country of origin. In most cases, these laws are being independently designed by and individualized to countries, similar to the way a nation has its own currency. Created to protect citizens, these requirements represent a huge barrier to the public cloud. Some nations are working together to overcome this obstacle – for example the United States and the European Union established the Safe Harbor Act – but, in general, much of the world is still struggling with the issue. In Canada, for instance, some laws require that data not just stay within the country, but within specific provinces and territories.
“We're three to four years away from a solution that can work on a global scale...”
– Joe Coyle, VP and CTO at Capgemini U.S.
As a whole, data sovereignty has created a cloud Catch-22. Cloud is supposed to simplify the procurement of IT, cut costs and deliver flexibility. But for a company that is looking to leverage the public cloud on a multinational scale – which in my experience, is most – costs can easily go up and flexibility down. Enterprises facing this regulatory challenge will have to embrace the hybrid cloud, find a way to work with multiple localized cloud providers, and roll up this data in a way that satisfies all of the various regulations around the world.