There’s been a lot written in the last couple of weeks about the demise of the Safe Harbor agreement between the EU and USA. If you believe the more biased posts on LinkedIn and twitter by various [EU-based] cloud hosting companies and consultancies, it’s now illegal to put your data in the USA. Period.
Of course, this is scaremongering. It’s not illegal to put your data anywhere, prima facie. Whether it resides in the EU or the USA doesn’t really matter – the onus is on a data controller to ensure that the protections afforded to that data are in keeping with the data subjects’ legal requirement to protection of their personal data. Put simply, if you hold data on EU citizens, you have to protect their data to at least a certain minimum level. Where you do that is largely irrelevant.
Where it gets a bit murky is around your hosting provider’s obligation to do the same. Safe Harbor was an undertaking by US-based companies that they’d adhere to a higher standard of care than US law required in order to meet EU requirements; in essence, a “scout’s honour” promise that although they’re not in the EU they’d behave as though they were. Crucially however, for the European Court of Justice, the same obligation did not exist on US public bodies. If the NSA, CIA, FBI, DMV or any other government body wanted to read your data they are able to adhere to the US’ (much weaker) laws on privacy – and if the data’s hosted with a US-owned hosting company, then the US government can compel them to hand over whatever they can.
And therein lies the devil in the detail. The government can force disclosure of whatever the hosting company can provide.
If you’re storing your data, unencrypted and open for anyone to read, in the USA then it’s a safe bet that anyone in the US government can read it should they so desire. This, quite clearly, breaches the EU’s requirement to privacy for that data – and so the ECJ struck down Safe Harbor on the grounds that merely putting the data on a server owned by someone who promises they won’t read it is largely meaningless. But, as we’ve seen in the news this week, if you’re storing your data unencrypted and open for anyone to read in the EU, it’s still a pretty safe bet that anyone who wants to can read it. Not just the US Government – they’ve got better things to do than go after the details of #TalkTalk customers and their bank accounts. Anyone.
If, on the other hand, you’re storing your data in a (safely) encrypted form, you’re not storing plain-text or weak-cipher versions next to it (#AshleyMadison subscribers can tell you all about this one) in the same table, and the keys to your encryption are closely guarded then it’s about as safe as it’s going to get. It really, really doesn’t matter where you put it – whether it’s unreadable in a datacentre in Ireland or Idaho, it’s still unreadable to those who shouldn’t have access to it. And voila – suddenly, you don’t need Safe Harbor after all because you’re safeguarding your customers’ data yourself rather than relying on someone else to do so for you.
But… isn’t it worth choosing an EU provider just to be on the safe side?
Well… probably not.
In the same month as all the Safe Harbor fuss has been dominating discussions about cloud, HP have (fairly quietly) announced that their public cloud offering (Helion) will no longer accept new customers onto the platform, effective this month. More terrifyingly if you’re an exec who’s already signed off on a move into the cloud and plumped for HP, they’ll turn off what you already have with them by the end of January 2016. That gives you just four short months (of which one is December, hardly the western hemisphere’s most productive month of the year) to migrate your data from HP’s cloud to one of it’s “selected partner clouds” – basically, #Azure or #AWS.
HP has heavily invested in OpenStack – an effort to reduce the proprietary nature of cloud computing and enable easier vendor swapping – and the logical choice for moving their content was RackSpace, who are pretty much the only other significant OpenStack provider. That RackSpace isn’t HP’s partner of choice is a telling indictment of OpenStack’s biggest weakness – the stack on which your cloud operates is far, far less significant than the scale of the provider running it. Conservative estimates put HP’s cloud at 300Pb of data. That’s really quite a lot.
Microsoft and Amazon don’t publish figures about their total storage capacity, but it’s pretty safe to assume it’s well into the multiple-Exabyte range. Another few hundred petabytes is a nice jump in consumption, but it’s not an order of magnitude increase on the current infrastructure. Compare that to some of the smaller cloud providers; Backblaze is growing at around 3Pb/month in total storage capacity – taking on HP’s data load would mean 100 months’ worth growth in a single quarter. It’s pretty safe to assume RackSpace and HP (who already have a working relationship via their OpenStack people) mutually decided that 300Pb is just too much to bite off in one go.
The big four cloud providers (AWS, Azure, IBM & Google) now account for more than half the world’s total cloud spend between them. A year ago, it was 46%, and a year before that, 41%. In 2013, the big four earned about $1bn from cloud operations while everyone else collectively raked in $1.5bn. By 2014, the gap had closed a little, and this year Amazon and Microsoft alone have seen revenues almost equal to the combined total of the “not big four” rest of the market. Add in IBM or Google (who together generate about the same revenues as Azure does alone) and you’ve got a majority of the market share from just 3 of the big 4.
It’s this massive lead over the rest of the market that gives the big their huge advantage in terms of buying power, reach and scalability – and it’s this massive lead which means that choosing a cloud provider other than the big four is a risk which needs to be weighed up against the other factors in a cloud-hosting decision. Tie-in is a problem if the vendor you’re tied in to decides that actually, being a small player (and let’s not forget that HP generated $111bn in revenue and $7bn in OI in 2014 – they certainly could absorb the cost of being a large player) in the cloud market just isn’t worth the hassle.
Safe Harbor made the news this month because it’s consumer-facing – it involved Facebook, and a David-and-Goliath style “little guy against the big corporation” fight. Storing data outside the EU (or inside it, but on US-owned providers) does add an element of extra risk and responsibility, but it’s a pretty small one. Picking an EU-owned provider won’t make your life that much easier from a privacy perspective, and it might just make your life a great deal more difficult if your cloud provider goes the way of HP.