During a recent conversation with Adrienne Hall, General Manager of Microsoft’s Trustworthy Computing operation, she told an interesting anecdote about the Japanese earthquake and tsunami that was intended – successfully, I might add – to demonstrate the effectiveness of the company’s Trustworthy Computing capabilities, and in addition show the power of the cloud as a deliverer of salvation.
It is, however, a source of salvation that seems to run smack into one area of legislation and regulation that could yet be one of the cloud’s major stumbling blocks – governance issues over where data is stored and processed.
This in turn prompted an idea that could combine one of the older tools of conducting international business and the full capabilities of cloud technologies.
First, however, a little recap on the story. Microsoft’s Japanese datacentre is located a goodly distance from the epicentre of the earthquake, and beyond the range of the devastating tsunami that followed. It survived the initial earthquake, but soon started to suffer with the aftershocks.
The decision was taken to temporarily move the contents of the datacentre to a west coast USA location, a task with Hall’s team achieved both quickly and cleanly. So as an example of disaster recovery/prevention and business continuity capabilities, it is certainly one of the best.
Yet by moving not only its own services but customer services as well to the US west coast it obviously had the potential to put some businesses at legal risk. Any business with a legal or compliance requirement to have data stored – and possibly processed as well – in a specified geographic location could find themselves in a double bind. They either demand that their service is not moved to a safer location – and risk having the business buried – literally – or they do allow the movement, and risk finding themselves in court.
Yet there ought to be a way of achieving the ability to move the physical location of data, especially in the face of a natural disaster such as occurred in Japan, while maintaining the integrity of the storage and processes associated with that data as though it had not moved.
Why not, then, something equivalent to the Bonded Warehouses commonly used by any business importing products that are subject to taxation? With these, those products can be here physically while not being here at all, legally.
With the cloud it should be not be beyond the wit of man to create a solution where a partitioned, isolated and highly secure corner of country X’ can be inserted into a datacentre located in country Y’. In that way, a business headquartered in country X’ could establish a new branch office in country Y’ and have the local data stored, managed and processed in that local country, despite facing the rigours of compliance and governance legislation which says otherwise.
Given the fact that the vast majority of datacentres run commoditised hardware and system software, regardless of where they are in the world, all that would be needed is the specific security and applications environments to be installed to have a virtual anywhere’ located anywhere else’. Add in, as part of the package, sufficient process policy management, monitoring tools and operational auditing and it should be possible to create an environment with enough belt-and-braces security and management controls to satisfy most lawyers.
The icing on the cake could be that the regulatory authorities of country X’ could then validate the virtual environment and, once approved, it could be installed anywhere – or at least in a subset of specified and approved geographic locations or even service providers.
Let’s face it, just because the data is stored on-premise in the building specified by law, it doesn’t necessarily mean it is secure, or safe from the temptations of da management’ to take the opportunity to refine’ some of the data. So the virtual bonded country approach might well be a more visibly secure alternative.
It would also be a really good service for many of the service providers to offer. Indeed, it would seem to be ready-made for the biggest, globally’ based providers – or at least those with serious global pretensions.