Cloud computing is growing by leaps and bounds in the US, but American cloud service providers are finding themselves at a disadvantage in the international marketplace. This is unfortunate – I helped to build the first large-scale implementation of modern cloud computing in 1999, and I did it right in Silicon Valley. It’s not a technology problem or financial problem that’s causing this issue for cloud providers. It’s a political and perception problem caused by a decade old American law called the USA PATRIOT Act (Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001). This law was designed to give the US intelligence community easier access to electronic data in the US.
This should come as no surprise, but people, and companies also, prefer to operate in a world where they have some level of control over who sees their private data. American cloud providers are required to adhere to the infamous PATRIOT Act, which means they are legally bound to hand “business records” data to American government agencies who legally request it. In some cases, cloud providers may be forbidden to even speak of it or notify their customers of the government request.
The International Business Times recently covered the PATRIOT Act and wrote:
…Critics say the business records provision [of the PATRIOT Act] is the most insidious because of the sweeping powers they say it gives to gather large volumes of data. In an interview with Wired’s Danger Room blog, Sen. Ron Wyden (D-OR) said that provision is the one he is “extremely interested in reforming.” He declined to elaborate further.
Believe it or not, this affects tech darlings like Google and Amazon. In my work as vice president of cloud security for Trend Micro, I travel globally from my home base in Canada to speak at conferences about cloud computing. Whenever I am at a conference outside the US, the most frequent question I hear from IT executives is: “I don’t want to expose my data to disclosure under the PATRIOT Act. What can I do?”
Regardless of how often the U.S. may actually take advantage of the PATRIOT Act, companies outside the US often believe they have something to fear by storing data in the United States. The truth is that governments everywhere have ways of getting to things that are important to national security, regardless of where they’re stored. But to make sure that your data is safe regardless of what jurisdiction your cloud provider is in, you should consider using policy based key management with your keys stored away from your data. That means that anyone – government or not – who wants to see your data without permission has to brute-force their way into your data or legally ask you for the keys.
Like this blog post? Contact me on twitter @daveasprey or comment below.