It would appear from the recent news headlines that Blackberry has stolen Google's title as Technology Company That Is Most Likely To Annoy Governments. After China's much publicised spat with Google it appears that some of our more security conscious friends in the Middle East have decided that Blackberry's NOC locations are a little bit outside their reach should they decide somebody somewhere is doing something they shouldn't.
When we are talking about countries like China and Saudi Arabia it's easy enough to dismiss these concerns as control freakery. Less open governments than ours have been doing battle with the internet in one form or another ever since the thing went global.
But it isn't just generals and dictators that have an interest here. Many law firms (not perhaps always considered bleeding edge in their approach to technology) have been using cloud-based email management for some time now. Partly because it gives them a much better handle on their information – critical in their business – but also because it effectively allows them to use one country's data protection laws against another.
The US government for example can be pretty aggressive when it comes to seizing information assets and incriminating data, which is why companies providing email management to law firms tend to host this data in places like the Cayman Isles – where the US government can't touch it.
I am not in the business of hiding incriminating data (unless it's a receipt for something pointless and expensive of course). So why have I chosen this as the subject of my monthly rant? The reality is that the concern about where our data is actually held and how much control we might actually have over it is a major area of concern to anyone who is thinking about taking a leap into the Cloud – either personally or professionally.
The classic cloud model essentially means your solution provider taking all your stuff, such as applications, data and email, and putting it on a cloud server that could in theory not only be outside your data centre but thousands of miles outside that data centre. This isn't a problem when you consider the level of security we actually require around a lot of the information we generate. But if that data is either very personal (health records for example) or business critical then not knowing where it is or how it is actually being protected is real concern. In fact many would argue that security concerns are the biggest issue holding CIO's back from migrating to the cloud.
The fact is that migrating huge amounts of sensitive information to the likes of Google and Amazon would be a hard act to swallow for the biggest cloud evangelist.
In fact what would actually work for many is a sort of halfway house. An infrastructure that combines private (or shared) data centres with the flexibility of the cloud. That way you can put the less critical stuff out in the cloud while keeping a firm hold on the bits that are really important – sensitive data and mission critical apps. The techie term for this is private or hybrid cloud, but you could call it common-sense cloud. This solution gives you the flexibility you need but also the peace of mind that comes with a greater sense of control.
The flip side to all this of course is the argument that, if you pick the right vendor, there is a fair chance your data will actually be safer with them than with you. A friend of mine who works in the US was telling me the other day about his laptop mishap. A spontaneous drinking session with friends resulted in his laptop being stolen. Realising it had gone he found himself – for the first time in his life – praising the decisions of the IT department. Having moved to an externally run thin client cloud-based model, he was able to phone the 24 hour helpline and get the machine wiped remotely within a few minutes. I can't tell you who he works for but suffice to say it was probably a good a thing that the contents of his laptop didn't fall into the wrong hands.
In the end, it's the rigour of the structure and the management of cloud, that will determine how effective it is. The location of a specific application or set of data is not an issue. It doesn't matter how big and complicated the infrastructure gets as long as the controls are effective. This means getting the model right, defining the policies requirements and controls and then setting up an effect command centre - a central, unified and real time portal that allows you visibility, access and control.
It doesn't matter how in control you are. A good CIO will spend much of his time wondering if his supplier is taking him for a ride or his security is solid enough. Unfortunately there is no cure for that. It's just the lot of a CIO and I doubt this will change any time soon.