Working in Sweden, home of successful cloud pioneers like Skype and R&D hub for Spotify (and then the previously not so popular cloud startups like Pirate Bay), I have noticed that there has been a lot of debate in the Swedish press lately about security in the cloud.
Who owns what at what time, and what happens with data if a cloud company goes bankrupt. One of the reasons for the debate is due to the decision by one of the Swedish government organizations to use cloud services, with most of the discussion relating to how its extremely critical and sensitive information about the country’s national safety can be protected securely.
Firstly, I believe that it’s important to define cloud computing. Secondly, it’s a fact that there is better security in the cloud than what the average company can normally establish itself.
So the question being asked by everyone from the family uploading pictures to Apple’s Mobile Me service to Swedish citizens concerned about their rights is what happens with the data during the transfer to the cloud, and who owns the data? What laws protect the data where it’s stored, and in what country? If the cloud company is acquired, what happens to the data, can it be transferred to the new company, in a new data center, perhaps located in a new country?
To keep data secure in the cloud, a master key or back door to get to the data in any form should never exist. There is little proof that this is under control by any of the cloud vendors today.
At my company our customers often ask us if we can issue a company master key, and if so, this is only ever created once. The maintenance and access right to the key is transferred directly to the customer and any renewals are only sent to the company address.
I believe that data security and ownership will continue to be an interesting and developing debate to have in business going forward because the answers our customers have to these questions will dictate how we drive development of our cloud services. On a positive note, this is an open debate, and more clear definitions will simplify the process.