Cloud vs. Regulators – Who wins?

With the arrest of the  German national Kim Dotcom (aka Kim Schmitz)  – Owner and operator of the widely used site in Auckland, New Zealand, on 20 January 2012 in a raid requested by the US Federal Bureau of Investigation, should raise some obvious and interesting questions in relation to the Public Cloud computing – or is it just business technology in action?

Cloud and the Flat Earth

At the heart of this event are the concepts of multi-tenancy, jurisdictional law and risk.

Public Cloud  can be somewhat analogous to a large block of apartments. Your business’ systems share the block with a number of other tenants.  All’s well until the owner of the block of apartments falls seriously foul of a law, whether that be in the legal jurisdiction of your State / Province / prefecture or Country, or even an foreign Country.  In the latter case, all that is needed is the existence of formalised cooperation treaty between countries to have you somehow treated as collateral damage. All of a sudden you are impacted by events that are totally outside of your control.  Not your typical ‘IT Disaster’ such as fire in your data center (hosted or in-house) – a potential disaster, nonetheless. This becomes more complex in a cross-platform hybrid cloud.

In my book “Navigating through the Cloud” I raised the obvious question:

What statutory rights do foreign (or local) regulatory and security agencies have to demand access to your Cloud provider’s system? If your provider is served with a siezure warrant by statutory authorities, what are the implications for your organization? – Page 155, Question 15.7

If your Public Cloud providers’ infrastructure is based on the principle of multi-tenancy, and most are, this means that if your next door neighbour in your Cloud is a real ‘baddie’, then there is a risk that the provider will be shut down. The regulatory agency will not have the time, resources or concerns about others in the provider’s infrastructure, so they could well shut down the whole service, as they have done in this instance. Another question to ask is whether your IT consulting firm would just be sitting on the sidelines, unable to assist?

This small, but critical element of your Cloud assessment and due diligence should not be glossed over.  You never know, your next door neighbour in the Cloud could be.