Ottawa risking data by keeping it local, says consultant

With the U.S. government insisting it has the power to demand American companies hand over customer data held by subsidiaries in other countries, a number Canadian enterprises and the federal government are demanding cloud providers assure that their data is held within the country.

For example, as it looks for private cloud companies to provide some services to Ottawa, Public Works is demanding any federal data be held locally and never leave the country.

But the co-author of a report for Google on so-called forced data localization says the data will end up being less secure with such strings.

“The Internet exists outside of the country you’re in, and any attempt to pretend otherwise doesn’t work out well,” James Arlen, the Hamilton, Ont.,-based director risk and advisory services for Leviathan Security Group, said in an interview.

“It doesn’t make a whole lot of sense when you’re saying ‘We’re going to keep our information safe within our political boundaries’, but your Internet boundary and your political boundary don’t match.”

Having data spread redundantly over data centres in several geographies ensures it can withstand physical catastrophes like earthquakes or regional power losses, one of three Leviathan reports issued Wednesday says. One failure the reports noted was the 2012 explosion in Shaw Communications Calgary data centre, which not only knocked out phone and 911 service in parts of the city, but also and IBM data centre in the same building that hosted government and private sector customers.

In 2008 a shipping accident in the Suez Canal caused Internet outages to the majority of people and businesses in Pakistan, Egypt, India, Kuwait, Maldives, Lebanon, and Algeria the report adds. “When utilized properly, cloud storage gives companies the ability to use resources in different geographic regions to ensure high availability even in the face of local/area/regional
incidents. Achieving this, however, requires taking advantage of geographical redundancy—ensuring that data is replicated not just across a city, but across a continent or an ocean.”

Unfortunately, it argues, many companies treat cloud providers like colocation facilities, storing all their data in a single region.

Another report argues that a time when experienced infosec staff are in short supply international cloud service providers and not enterprises have the muscle to hire the best security staff.

Some enterprises also insist on national data residency as a way of protecting from the reach of other countries’ law agencies, and as a way of getting better public relations. That’s led to a number of vendors, like IBM and Rogers Communications, to build local data centres in the hopes of getting business.

It’s a “false patriotism,” to restrict data to being held here, said Arlen. In essence companies are saying ‘In order to be Canadian we’re going to be second best — we have no interest in being best,’ he said.

Some highly sensitive federal data should be restricted to Canada, he admitted. “But anything short of that there’s no reason why it shouldn’t be hosted by the best and the brightest”of cloud providers.

The report on data residency doesn’t directly deal with the argument that governments are insisting on local residency to keep data from falling into the hands of U.S. law enforcement agencies using American law.

Asked if in that sense data security would be improved for a country’s data, Arlen disagreed. “It creates this false sense of security that nobody can spy on it (data) because it never leaves our borders,” he said, and referred to revelations about the U.S. National Security Agency.

When it was pointed out the NSA doesn’t use legislation to get at data held in other countries, Arlen said there’s little difference. The attempt by the U.S. government to force Microsoft Inc. to hand over email held in servers in Ireland is a U.S. Drug Enforcement Agency investigation, he pointed out.

Leviathan, headquartered in Seattle, was hired by Google Inc. to report on three questions: Whether the movement to limit cloud services  makes the data they hold safer, whether there are enough infosec experts for organizations to hire themselves to protect data or should it be left up to cloud providers, and whether cloud services are less expensive than holding data on-premise.

“Using a cloud provider as though they were a local datacenter provides no protection from incidents that impact availability,” one report concluded .

On the question of whether cloud services save money Leviathan concluded “a qualified maybe,” Arlen said. There are costs of cloud many studies don’t include such as added bandwidth, he said. On the other side on-prem studies don’t include the cost of hiring talented staff.

Arlen acknowledged that as a cloud provider itself, Google [Nasdaq: GOOG] has an interest in a report that urges organizations not to restrict themselves to domestic data centres. But, he added, it had no input into the writing of the reports.