One one side it is very attractive to put data and processing into the cloud and avoid the costs and problems of up- (and down-) scaling of the own IT. But there are some questions that need to be asked (and solved….) before mission critical data and functionality can be moved outside a controllable environment:
- Who guarantees Data Security (and how)?
- How are SLAs controlled and enforced?
- Which law (i.e. which country) will apply?
- Who will make sure the law is enforced (and how)?
- What happens if the provider goes insolvent?
- What if the provider is acquired (and HQ moves to a different country)?
As technology moves much faster than regulations and laws, there is a lot of uncertainty involved at the moment. As long as my datacenter resides in Germany, German law will apply and the CTO is (kind of) responsible for the compliance to the respective regulations. Even if the IT is outsourced, the company providing the hosting services is responsible and can be sued. In a Cloud Computing scenario, my data is theoretically distributed all over the world, which brings up the question which law applies and who is responsible for it.
Some of the data might reside in China or India while it is processed in Europe or North America. What if a country changes laws unexpected or the company providing the cloud services is acquired or insolvent? The missing control could easily bring a business down when relying on cloud services that do not deliver anymore or when mission critical data is inaccessible for a longer period.
Outages of Amazons Cloud Services or Google showed that this scenario is not so unrealistic and the risk is rather high. But what to do when cost reductions do not leave any other option other than Cloud Computing? What rights and possibilities do people and companies have if the provider of cloud services abuses my data? How would I even know where my data is and how I can get access to it?