Where is YOUR data?

I posted recently about the increasingly positive news that cloud email providers have been gearing – large scale rollouts, more consumer acceptance and adoption by enterprise all point to a growing validity of the model.

My post, and some conversations I’d been having prior to it, kicked off a storm of correspondence including this email from a traditional IT provider (anonymous for obvious reasons);

Privacy is another major concern. Are you certain the data you have on those servers is not being trawled through by Google? Actually, that’s a rhetorical question. It IS being trawled through.
"Information collected by Google may be stored and processed in the United States or any other country in which Google Inc. or its agents maintain facilities. By using Google Desktop you consent to any such transfer of information outside of your country." I wonder what "processed" means? I guess you could ask Google for a definition, but I’d bet you could drive a bus through it.

"Google reserves the right to modify these Terms and Conditions from time to time in its sole discretion, without notice or liability to you." So they can do what they want with your data, without telling you. But you trust them, right? After all they have a Privacy Policy: "We may combine personal information collected from you with information from other Google services or third parties to provide a better user experience, including customizing content for you."

"Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country." So your personal info gets spread far and wide, even if it is with apparently good intentions. I have no problem with Google/Amazon et al, they produce some great software, I’m sure their security teams are as good as anybody’s, and we use some similar technologies ourselves (in more controlled environments). But if you ask me, storing your _important_ data on a server you have NO control over, using applications you can’t control the deployment of, and publicly accessed using an exploitable interface (web browsers) is placing too much trust and responsibility outside your own organisation.

I’m not even going to try and convert the correspondent, he obviously has some deep seated distrust of cloud vendors that may prove insurmountable. But looking past the rhetoric, his last statement, viz a vis location of data, got me thinking.

Recently I was made aware of a new Government initiative involving the provision of software products for small businesses. Apparently part of the requirements of the RFP is that the data had to be domiciled here in New Zealand. This precluded a number of otherwise completely suitable applications merely because they’re hosted (in this case) in the US. My correspondent alerted me to a communication that intimated that;

all RFPs in government at this time are coming out with requirements for data to be domiciled in New Zealand, so unless this is fixed [local software vendors who host offshore] will not be making any sales in the public sector …

Clearly it’s going to be more of an issue going forwards. At the recent Enterprise 2.0 conference in Boston, much time was spent discussing the privacy ramifications of enterprise social software. This discussion was made more complex by the huge variance in privacy requirements between (for example) the US and Europe. Add into the mix jurisdictional issues and government requirement regarding the domiciliation of data and there’s a huge challenge… and a huge opportunity,

Already we see cloud computing providers having the ability to shift chunks of data based on such diverse issues as spot electricity prices, climatic conditions, load balancing issues and the like – it’s not a far stretch to imagine providers offering geographic choice of cloud hosting as an option.

An accounting vendor, for example, could choose to have the databases which contain financial records only stored in one geographical location, while non-sensitive data can be stored wherever the cloud provider sees fit. In the same way that customers can pay extra for higher SLA levels for example, so too should they be able to pay extra for geographic specificity.

We’re rapidly nearing the point where cloud vendors need to appreciate the fact that customers have specific requirements and higher levels of customer satisfaction, increased revenue and higher uptake for cloud computing will come when those requirements are met.