If you're not familiar with Chotto matte kudasai, it means "A moment, please," in Japanese. The cloud is big news. It is big news at the PASS Summit. It has been big news for quite some time. Folks are pushing hard to get you into the cloud. However, there are a couple of issues that cause me to pause. The first is well described in a recent article from InfoWorld. Here's a great quote:
"That means law enforcement doesn't need a warrant to access emails from 180 days ago, or emails and other data stored in the cloud, experts said."
You read that correctly: if it's in the cloud and it's over 180 days old, law enforcement doesn't need a search warrant to get access to the data. That's not the only risk. Another is the seizure of assets at your cloud provider of choice due to a different customer which cripples you. This happened to Liquid Motors in 2009. When LM tried to obtain a restraining order against the FBI, the judge sided with the FBI. An applicable quote from this article is:
"If the court upholds that servers can be seized despite no direct warrants being served on the owners of those servers (or the owners of the software and data housed on those servers), then imagine what that means for hosting your business in a cloud shared by thousands or millions of other users."
Law enforcement has a tough job and I understand that. Law enforcement is also frequently under-staffed. So if you think about them putting their best foot forward in every case (in other words, no one on a power trip and no one trying to be malicious), given the limitations they deal with, they don't really have the option of going through and checking every system on the spot declaring it clean or pulling it because it looked suspicious. Think about the manpower required to do that, especially in a cloud provider. But they need to protect any evidence that could be on these systems which means they may take an overly broad hand in what they seize. And unfortunately, that could be the systems your data is hosted on or that your business processes run on.
The current laws don't protect organizations that want to put their data or business in the cloud. The only applicable law I've seen cited is a privacy act from 1986. Obviously, it is very much out of date. There are folks trying to get the law updated, but right now, if you want to use the cloud, consider your exposure. Ensure you've got the ability to recover if those computing resources are ripped out from under you. And determine what data you can push up to the cloud, given that 180 day old window. It's not to say the cloud isn't a viable solution, but like every other solution, you've got to consider the applicable risk. These are the not so well known ones.
