Data location not the overriding factor in cloud security
One of the criticisms usually weighed against cloud computing is that, with many cloud services, the actual location of where they store your data is unknown. Google, for instance, does not divulge the location of its servers that handle Google Docs. For government agencies that need to keep track of the location of the data for policy and regulatory reasons, this is a major deal-breaker.
But should it be? Knowing where the data is located, and that proper protective measures are in place there, is certainly instrumental in safeguarding the data. But location may not be the correct way to think about these concerns, said Lew Tucker, who is the chief technology officer for cloud computing initiatives at Sun Microsystems. He brought up this point June 1 in a cloud computing panel at the CommunityOne conference.
The question of "where the bits reside, of what geography or national boundary these bits exist within," is somewhat moot, given that "we are totally connected by networks," he said.
In fact, access, rather than location, may be the better way of thinking about things.
"It really is who has access to these bits that is the really critical question, not the locale where they reside in," Tucker said. "But right now we are governed by rules about the locale of the disk drive."
It's a good distinction. When you think about the location of a particular document, or anything else, what you are really thinking about a series of bits residing on some physical medium, such as a hard drive or tape drive, which itself is probably located in a network-connected data center.
But no one who is actually inside the data center can view the data with any more ease than any than anyone else on the network, In fact, if the data resides on a server without a monitor, everyone can access the data in exactly the same way, by a terminal from some other location. Sure, a wrongdoer could sneak inside the data center and steal the server with sensitive data. But again, any data center breach can be described just as well in terms of who had access to the data center, as well as the location of the data itself.
Posted by Joab Jackson on Jun 02, 2009 at 7:05 PM