Tag Archives: Privacy

Now this was a fun show to record, talking to a realworld cloud architect at one of Hollands leading new technology companies Schuberg Philis who sponsored the Cloud event we've been attending this week.

Funs is one of two of their architecture team tasked with helping companies in Holland in the Schuberg Philis growing portfolio of customers to get to cloud safely, navigating governance and privacy regulation and ensuring their workloads and data are successfully transitioned to cloud.

Hope you enjoy the show more to come later if I still have power and bandwidth to get them out pre my flight back to the UK.

 Download the podcast in MP3 format here - or alternatively browse the RSS.

Please be under no illusions. This latest podcast is a big deal. It's also a bit of a coup. Tackling difficult topics in Cloud from a vendor neutral perspective is always hard. This podcast takes one of the most difficult topics that can sometimes cause Cloud ambition to stumble, and addresses it as best we can in the short format I bring you weekly.

Nobody likes wondering whats in your average sausage never mind talking about it, well in much the same vein nobody really likes talking about Cloud and the law, no matter where you are globally this affects you directly and is another reason why you should be listening in to my shows, if you aren't already.

So joining us today is Kuan Hon from Queen Mary University in London. Getting her on a podcast was a dream come true, I've read her papers and her analysis and views on Cloud and law for so long now and she's a heavyweight who knows her topics inside and out. A qualified attorney in the US and solicitor in the UK shes taken time out to go and do her PhD and also write a great blog, speak at events (including Defcon) and to carve out a reputation as the eminent goto person on everything Cloud and law.

Do take time out to visit her blog and also vist the QMUL Cloud portal to read some of her published papers that just further add credence to her ability and reputation - and also demonstrate why I worked hard to get her on a podcast to talk to you. From the House of Commons to Microsoft, from Forbes to the European Union, Kuan is taken very seriously as a voice of legal common sense and authority. Her papers both in her own right and as a co-contributor continue to shape and influence the ability of law to pervade Cloud sensibly and with clarity. You can read selected papers shes written on every aspect of Cloud law and contract law within Cloud by visiting this link.

It has taken walking over broken glass to get it out the door, recorded in the offices of Red Hat in London a month ago this podcast has been through legal review and internal review at Red Hat to get it out the door. My public thanks go to Michael Cunningham Chief Legal Counsel at Red Hat and to his team and to David Perry especially for taking time out of his diary to work with me to get this to release.

Remember: This podcast is two geeks talking, it does not constitute in any way any legal advice. You should always consult your attorney or company legal counsel before taking any action that potentially impacts you or your data, your company data or assets at risk by way of contract or exposure. However, at least with this podcast you know where to go to ask the right questions.

Enjoy the podcast - come back next week for more great content. For now I'm taking a few days off to celebrate with my wife and family the second birthday of our eldest son Christopher so I'm going to leave you with this podcast and disappear into the ether.

Download the podcast here in MP3 format only

Over the last two and a half years it's become clearer that despite best efforts there has been a bottleneck in the European Union's ability to leverage their influence in development of new methodologies of increasing technology consumption or investment in EU cloud.

The clue to the problem lies very much in the lack of credible underlying support that surrounds the European Commissions cloud strategy that emerged in September 2012 that I've talked about here before. Their stated aims to increase the spread and adoption of Cloud Computing in EU states were slated to generate about €900bn of generated revenue and a speculative figure of an additional increase in headcount in IT related services by 3.8 million new hires. I've read the report in detail and it still makes no sense and just seems to be a finger in the wind (like many analyst reports we all read daily) as to them "taking the temperature of the industry as a whole."

Maybe it was to buy more time until their slated 2014 time window when the assumption is that the common EU data protection regulations will be outlined. These will replace sovereign data protection acts such as that we take for granted in the UK and to understand the thinking of how that impacts on Cloud.

If we examine how that impacts, say on a company like Amazon, purely as an example, they currently have to implement working practices for AWS in the EU where applicable in contract terms for sovereign customers. These practices have to follow to the letter the data protection acts in France, Germany, Ireland, the UK etc. All those actual data protection acts can be see to be following a skeleton or outline of actual data protection directives issued by the EU but each with their own specific tailored requirements around statute in applicable sovereign territories. So currently it's hard work for any provider of services to offer a blanket one size fits all across the EU, and the cost of sales and architecture is therefore increased as is cost of adoption for consumption of elastic services generically across multiple territories.

So the hope is we can look forward to 2014 expecting a unified approach to data protection and therefore investment and adoption of catalogue cloud services as an industry. There is no denying that if you have that territorial harmonisation of regulation across the EU it will make it easier for corporations and organisations to build compliance frameworks but also if we were to turn that on it's head it will create a new raft of operational requirements.

Each member state will have to take on board their individual responsibilities for the legal statute required to make it work and that means additional challenges in Sweden, Germany, Spain and especially France. The workload alone on the part of data controllers facing new responsibilities are going to dramatically increase as well as the definition and creation of procedures and controls. The need to understand how to fit within a new skeleton regulation framework for the management of data privacy then needs to also fold in the needs to handle reporting. We now move to a theoretical world post 2014 where an organisation needs to file compulsory data breach notifications immediately at identification of a data loss or hack.

This all impacts on the lifecycle of cloud services and repudiation of data within contractual periods across multiple territories and potentially multiple providers in open hybrid cloud. This is one of the great facets of ManageIQ capabilities to tag and to "patrol" your complete Cloud fabric in order for you to be able to conform out the box today with responsibilities as a data controller or processor. CloudForms handles Cloud. It doesn't matter whether thats defined as a public cloud sitting on a provider presence or a private cloud sat in your datacentre. If you're serious about Cloud you need to have CloudForms in your corner.

An example of this, if for example you have a private cloud the new EU guidance adjudges you to be the processor responsible for data and in most EU states the controller as well and it becomes entirely your position of authority to control the access and protection to that data.

When you start moving those workloads and data upstream to a supplier such as a Red Hat Certified Cloud Provider partner the guidance is clear. The onus is on you the individual to examine at contract and actual practice level that your provider has both the security in place to protect you, but that isn't enough. You need to be able to do more than just assume a contract keeps you safe without taking on the need for expensive audit procedures and a huge raft of risk registers and rolling pentests / conformance exercises with an often unwilling third party provider who assumes you were happy at the SLA level.

CloudForms combined with ManageIQ give you a single pane capability and the context tagging and reporting doesn't actually care where your instance is running, be it on a raft of providers on ESX or KVM regardless of location, it just reports and keeps your cloud in line with your controls. It actually draws you in line with the EU regulations ahead of time.

So when the EU regulatory guidance actually becomes more than lipstick on a pig you can look smugly and realise that having implemented CloudForms and MiQ you were ahead of the game, and your business not impacted either by additional regulatory need and complex guidance having a negative impact on your growth.

Expect to read more about CloudForms in the coming weeks and months, for more information engage with your local Red Hat country representative.

Last week while I was on vacation, before I got waylaid in preparing for todays Cloud Computing World Forum in London and next weeks Open.CH Cloud event in Switzerland I promised my snapshot on Gartner's release a fortnight ago now on EMEA Cloud activity being a pale comparison of the US's activity.You can read it here, in fact reading it before digesting this article might be a great start.

So before we start let's be very clear, I'm not remotely out to bash Gartner, they have a well earnt position in the pantheon of analysts and are a valued member of the technical analyst community working hard to help a lot of customers across verticals globally make comprehensive strategies. The report itself lists four specific inhibitors for adjudging that Cloud growth in the EU region as a whole will fall behind the North American marketplace.

Inhibitor 1. Diverse (and Changing) Data Privacy Regulations

Gartner make a good job of outlining the concerns many companies have over data regulation and privacy.They do so without actually going into any concise clarified detail but do at least admit that a lot of the privacy issues are communicated and understood badly by organisations, which is a positive. Certainly the Cloud community as a whole has a duty of care to ensure that we make it easier for companies and institutions to understand that issues such as ENISA and EU guidelines at the provider level and your enshrined responsibilities as a data processor are actually quite simple to quantify. That issues such as the Patriot Act and Safe Harbor that apparently scare many companies off hosting in North America are not actually as realistic as painted. It's an unwritten rule that even in the EU the liason between intelligence services is acknowledged as making local EU sovereign data privacy controls and the Patriot Act immaterial therefore nullifying the concerns in the first instance. If you read the authoritative report by Hogan Lovells on behalf of the OpenForum Academy published last month you'd understand even more that it should be the Cloud community and providers working harder to communicate this as a non risk to customers regardless of geographical location, that actually if you architecture your public key encryption properly it actually disappears as a risk.

Inhibitor 2. Complex B2B Multienterprise Integration and Processes

In the EU we have a better understanding than most other global territories around working across boundaries. It's a fact many of the boundaries between organisations in multiple EU territories where data transmission storage and processing occur daily have evolved their own processes based around international standards such as COBIT, ITIL, ISO, BASEL as mandatory controls in business nullifying actual risks to growth. So this inhibitor seems to be badly defined and badly understood as a doorstop to Cloud. EU businesses as a whole adopting Cloud are better positioned than many organisations outside Europe given that we have had corporate governance in place that dwarfs SOX, SAS 70 and less capable non EU derived process controls.

Inhibitor 3. The Slowness and Undesired Effects of Some EU Policies

Gartner do a good job of outlining where they think sovereign mandated process and policy can potentially act as a roadblock to inertia in Cloud. In four years of Cloud specific activity up to and including EU government ENISA guided Cloud architecture I'm yet to identify one actual identifiable deployment slowed down by this "inhibitor". Gartner then give an example of the European Multi Stakeholder Forums e-invoicing guidelines published in March which are at best a steering piece designed to help and assist organisations rather than slow them down, although it has taken almost five years to get to it's findings it's still comforting to know that it exists.

Inhibitor 4. The Investment Hold Caused by the Euro Crisis

I can't argue with this point, there is a critical crisis of confidence in the euro and the financial markets, this is a technical blog not a financial one. You'd have to have had your head in the sand to have not noticed the major slowdown in IT spend across all areas of technology not just Cloud. It's an added benefit to the marketplace that Red Hat is positioned to actually allow customers in that position to actually achieve a lot more with a huge amount less and the Open nature of Red Hat cloud technologies and our continued work with emerging technologies to prosper growth during a time of economic and financial instability. In fact Red Hat is growing continually even during a downturn as our customers enjoy so much more capability based on our subscription and Cloud access model for their workloads. This then increases when they see how CloudForms and OpenShift start reducing workload costs and reduce complex associated ownership and process costs.

I'm very surprised that nobody from Gartner read the synopsis of the Cloud Security Alliance's 2011 study into EU Cloud growth and factors which gave more clarified detail and credible guidance to the very readers that digest Gartner articles as verbatim. I've uploaded my copy of their slides here as it returns a more authoritative piece to you towards doing your own clarified research.

So my message here is one of balance. Read the Gartner article, it's a balanced and authoritative viewpoint from a global leader. Once you're done then go read the links below:

PC World Report on Data Concerns over Patriot Act
Business Software Alliance report on Cloud in Europe
(downloadable pdf)
Jipitec EU Cloud Computing Synopsis

My last words on this article from Gartner is that they missed a trick by forgetting that the same people who read their reports are the same architects and technically capable thought leaders who use open architectures and enjoy more competitive and open economies of scale from using Open Cloud.

If you use an Open Cloud, if you think about your architecture planning and build that portability and security of process and control into your Cloud using tools such as CloudForms then I reckon 80% of the actual inhibitors outlined in the Gartner report become actual reasons to go Open and to speed up Cloud adoption.