Strategy Guide:

Data sovereignty
and security

Sponsored by
 Contents

Data sovereignty awareness lacking in Australia pg3

Data sovereignty and the dangers of hosting data outside of Australia pg4

Do you know where your data is? pg7

Who watches the datacentre? pg10

Data sovereignty awareness
lacking in Australia
By Hamish Barwick
While the US Patriot Act may make many headlines
for the legal authority it bestows on US agencies
to access data held in foreign countries, Australian
companies need to be aware of similar legislation
in both the US and Australia, according to security
industry experts.
Forrester senior analyst, Michael Barnes, said
Australian companies were right to be wary of placing
their data in the cloud as it could be accessed by US
authorities using the Patriot Act.
In fact, recent research from Forrester indicated that
among Australian companies not intending to adopt
the public cloud, the Patriot Act was cited as a major
reason. However, Barnes said some Australians may
not be aware that US authorities had the power to
request data even without using the Patriot Act.
“There are enough bilateral agreements between
the US and Australia that if the US wants something
for a particular purpose they can probably get it,”
he said.
Cloud security consultant, Rob Livingstone, said
Australia’s Anti-Terrorism Act of 2005 is similar to the
Patriot Act and Australian Federal Police (AFP) can
obtain information from companies or individuals at
their discretion.
The Anti-Terrorism Act states that the AFP can
request information from any source about any
named person including information about the
person’s travel, residence, telephone calls and
financial transactions.
Legal experts have also expressed concerns with
the US Patriot Act. Connie Carnabuci, a partner of
the law firm Freshfields Bruckhaus Deringer, said that
under the Act, US authorities have the ability to pass
orders for the disclosure of non-US data that is stored
outside the country. “The basis for that disclosure is
that you have to establish a sufficient connection with
the US,” she said.
Carnabuci added that while the Act has a regime
that allows companies to seek a formal subpoena,
there is an “intrusive route” called the National
Security Letter (NSL), an informal request for
disclosure of information.
pg3
 Data sovereignty and the
dangers of hosting data
outside of Australia
By Carlo Minassian

Cloud is often presented as a cure-all for data
storage, because it combines ease of access with low
cost. In addition, cloud offers the seeming security
of housing precious information off-site in purpose-
built facilities not susceptible to natural disasters and
power outage.
This perception has become so widespread that
organisations, including many in government, are
rapidly moving parts or all of their operations to the
cloud. While there are indications that some of the
large early adopters, like IBM, are reconsidering the
parameters (they recently forbade employee access to
Dropbox and Apple’s iCloud), the momentum to the
cloud is unlikely to be stopped, because the imagined
savings are just too attractive.
Two years ago, the federal government in
the United States began to urge its agencies to
embrace a ‘cloud first’ approach when it came to
IT procurement. The goal was to lower costs, and
today they are saving about US$5.5 billion every
year. Given recent projections, if cloud first was
adopted even more widely, those savings would rise
to US$12 billion – almost the equivalent of NASA’s
annual budget.
With numbers like this, it’s no surprise that cloud
is becoming so dominant. It’s also no surprise that
IT managers’ concerns are frequently shunted aside,
especially when ‘hard’ savings numbers are
weighed against security risks that are difficult –
if not impossible – to assign a dollar figure.
But these concerns must not be pushed aside. Any
organisation – government or private sector – that
doesn’t become fluent in data security, is taking a
sizeable risk. This is especially true if that organisation
is based in Australia.
While there are numerous issues around cloud
and data security, I want to focus on two of the most
important: data sovereignty and the value of keeping
things onshore.
Foreign law
There is a strong out-of-sight/out-of-mind
component to the cloud. It might seem like stating
the obvious, but when your data is in the cloud, it is
actually a ‘resident’ of a particular country. As such,
it is governed by the laws of that country and those
laws might be very different, and significantly less
friendly, than those of Australia.
Michael Chertoff, the former head of the US
Department of Homeland Security, has argued
forcefully that organisations that handle private
data should keep it onshore. Chertoff experienced
first-hand how quickly data sovereignty can
devolve into a legal wrangle that puts critical and
private information at risk. As a result of sweeping
antiterrorism legislation, US law required that
international airlines provide access to traveller
information. From the European perspective,
America was asking for protected information
about its citizens.
pg4
 This situation led Chertoff to conclude that data
sovereignty and cloud goes well beyond protecting
classified information and military secrets. He made
a vivid point that can be applied to Australia: “At
all levels of government, we store the working-day
information that helps government function: email
exchanges, calendars and the like. The scope of
our government’s data holdings is as wide as the
expanse and reach of government, and likely contains
information that touches upon all aspects of American
life [including driver’s licences, real estate data, birth
and death records, etc].”
Chertoff was saying that it’s easy to forget just
how big the scope of data storage is today. Some of
it might be non-critical, but much of it is genuinely
precious and needs to be treated like any other
commodity. Where that commodity is stored and who
has access to it matters a great deal.
Chertoff’s observations also apply to Australia,
ironically in part because America’s own sweeping
laws make offshoring Australian data in the United
States something to avoid. Both the Patriot Act and
the Digital Millennium Copyright Act (DMCA) have
shown just how data stored in the United States is
vulnerable to law enforcement intrusions.
The Patriot Act means that your data can be
accessed and you probably will never know – in
fact, in some cases, providers might not be allowed
to tell their customers of such access. Moreover, US
companies usually readily comply with even informal
requests, known as National Security Letters (NSL),
for such access to data.
Similarly, enforcement of the DMCA has led to
dramatic cloud-shutdowns like the Megaupload case
that should have made anyone using similar services
reconsider moving to another data storage solution.
After all, while Megaupload was targeted for music
and video piracy, a study by Palo Alto Networks
showed that the service had greater use on corporate
networks than Dropbox, YouSendIt and Box.net
combined – all currently seen as ‘legitimate’
cloud providers.
Moreover, US-owned companies will also be
forced to comply with these laws even if they are
housing data in Australia. But the reality is that there
are many bilateral agreements between Australia and
the United States. If the US wants particular data, that
data will often be given to them on a silver platter,
regardless of whether or not it is being housed in a
US-owned data centre.
But the issue of data sovereignty goes beyond the
United States. Many leading organisations are starting
to recognise that the country where data is stored is
critical. Financial organisations tend to be especially
sensitive to these issues because of regulatory issues.
Andrew Stokes, Chief Scientist of Deutsche Bank
Global Technology, recently said, “There are so many
regulators and regulations – we need to be safe. Every
geography has its own unique sector and laws.”
pg5
A familiar environment
For most Australian organisations, there are
substantial advantages to storing data onshore in
an environment that is politically, economically,
financially and even geologically stable and familiar.
This involves business continuity (BC) concerns. After
all, the organisation can better assess the robustness
of data centres, especially when it comes to disaster
recovery (DR) scenarios.
The Brisbane floods and the bushfires in Canberra
drove the point home that you need your DR
facilities in different locations, because having two
data centres in the same geographical region can
still lead to prolonged downtimes. But, again, on-
shoring allows for the organisation to assess the best
approach from a DR angle.
Additionally, on-shoring permits organisations
to benefit from strong local security certifications
such as ASIO T4, DSD HP and PCI DSS, which are
essential for the highest level of data protection. The
‘human factor’ and physical proximity is also critical.
It matters that an organisation can see where their
data physically resides, that they can visit data centre
sites, get to know the people delivering their services
and have access to senior engineers in their
time zones.
Arguably, the starting point for data security begins
well before you start worrying about data sovereignty.
Government agencies and any organisation with
sufficient reason to care about data security need to
know that:
• data is being identified, classified and protected
both physically and electronically;
• any person who may handle the data has
appropriate security clearances;
• there is a defence-in-depth strategy in place;
• threat detection and response, not just data
protection, is practised; and
• the three postulates of security (confidentiality,
integrity and availability) are being enforced.
While most, if not all, onshore cloud providers will
fall down on these counts, those organisations that
are scrupulous about their data can and should find
private cloud providers that can meet their rigorous
specifications. The cost might be higher and the ROI
difficult to calculate, but data security means too
much to be lost in the current rush to the cloud.
pg6
 Do you know where your data is?
By Lesley Meall
In the beginning, when cloud computing was all
about public cloud services, many IT leaders held
back because of their concerns about the safety and
security of their valuable and sensitive corporate data.
But things change – well, some things.
Putting it in the hands of a third party – outside
the firewall, on multi-tenant boxes – emerged as a
security risk too far in survey after survey, despite
widespread awareness of the cloud’s potential
to deliver business benefits, cost savings and
strategic opportunities.
The cloud has evolved. Public clouds have been
joined by private clouds, and hybrid clouds, and
other variations on the theme, and use of them
is increasing.
However, finance chiefs remain cautious. When
a recent Deloitte survey found half of chief financial
officers using cloud computing or planning to within
two years, a whopping 89 per cent were, perhaps
understandably, still citing data security as their main
reason for holding back. Meanwhile, uncertainty
about the location of data concerned just 44 per
cent, and legal issues 40 per cent – and this may
need to change.
“This is a complicated area,” said Alistair
Maughan, a partner at the international law firm
Morrison Foerster.
The explosion in cloud computing has increased
use of third-party service providers, and some of
them in turn use other third-party providers to host
and backup data, so its physical location can be hard
to pin down (a problem), as can the legislation that
applies to it and the jurisdictions in which this can
apply (another problem).
“Generally speaking, the law that’s applicable
is the law of the country where the data controller
is located,” said Maughan; but there are some
exceptions (yet another problem).
“There was controversy earlier this year when India
issued rules that seemed to suggest that Indian law
would apply to data processed by Indian providers on
behalf of Western customers,” he said.
Many cloud service providers and legal experts
worried that this would result in additional (and
more restrictive) rules, on top of the national laws
that already apply to personal data that is transferred
offshore from the UK, EU or US.
pg7
Ignorance is no defence
“The Indian government has since clarified that this
is not its intent,” Maughan said, but added that China
and the Philippines are among other countries that
are currently developing their own data privacy laws,
so IT leaders will need to monitor developments.
The UK Data Protection Act 1988 (based on the
EU Data Protection Directive 1995) has been around
in one shape or another for quite some time, so
awareness is high among affected organisations.
But the Act’s stipulation that personal data should
not be transferred to a country or territory outside
the European Economic Area – unless that country
provides an adequate level of protection – isn’t
always factored in to the decision-making process
where cloud-based services are concerned.
Sometimes this happens because the money comes
from departmental budgets, and is spent by people
who are not aware of the implications of their actions;
sometimes the ignorance is higher up the food chain.
“A minority of organisations are getting very
smart about incorporating information security and
sovereignty into their contracts with cloud-based
providers,” reportedRob Rachwald, director of
security strategy with Imperva (a data and application
audit and security specialist), and may even go as far
as auditing their cloud-based service provider.
“It will get better, because it’s an evolutionary
thing,” he said, but at the moment, most organisations
are less evolved. “When you go into the cloud, it’s
often because it’s cheaper, and you think you can
forget about hardware and software,” he explained.
“So a lot of organisations don’t think about issues
such as data security or sovereignty until there’s
a problem.”
Cloud computing allows you to abdicate
responsibility for a lot of the processes that would
otherwise need to accompany their use of computing
resources, but this doesn’t include compliance with
data protection law; so users of cloud services must
know the physical location of the servers on which
their data is processed and stored.
“It’s as simple as asking the question,” Rachwald
said.
Although he warned that ensuring your service
provider is contractually obliged not to transfer the
data to any other countries without prior consultation
and agreement can be more of a challenge. Many
cloud service providers have one-size-fits all contracts
and service level agreements that they are not willing
to vary.
Some cloud service providers do try to make
it easier for their customers to comply with data
protection legislation.
“When we expand from the United States into
Europe, we will have a data centre within the EU,”
said Eric Webster, VP of sales with cloud business
continuity and disaster recovery specialist Doyenz.
“We have a worldwide agreement with Internap
and will be using their co-location data centre in
London,” he said, so the data of European customers
of Doyenz will never leave the EU. The behemoth
that is Amazon Web Services also has regional data
centres across the world, that service only certain
geographies: the EU Region, for example, uses servers
that are physically located in Ireland.
pg8
The reach of governments
However, there are scenarios where the location
of your data seems to impact less on its privacy and
security than the nationality of the organisation that is
storing or processing it.
“The issue of whether a government or public
authority can gain access to data that is located
outside their national jurisdiction is a hot issue right
now,” said Maughan, because of the international
reach of the US Patriot Act.
“The US government can request information that
is under the jurisdiction or control of a US company,”
he explained, regardless of the physical location of
the data or the nationality of its owners – and it can
do this in a way that seems to undermine the US-EU
Safe Harbour Framework.
Safe Harbour was introduced as a companion
to the EU Data Protection Directive (and national
implementations such as the UK Data Protection Act)
in 2000. Since then, it has allowed for the sharing
of data between the EU and US, but only when
certain conditions are met – such as the provision of
reasonable data security – and this is accompanied
by clearly defined and effective enforcement
(because the EU has higher data privacy standards
than the US).
But earlier this year, when Microsoft launched
its cloud-based Office 365 service in the UK, it
explained (in its Online Services Trust Centre) just
how long the arm of US law is – because the Patriot
Act can be used to force US-owned companies to
reveal EU citizens’ data, secretly.
This revelation has troubled some Euro ministers
including Sophie in’t Veld, Dutch MEP and vice-chair
of the European Parliament’s Civil Liberties, Justice
and Home Affairs committee, who is pushing
for clarification.
“The European Commission should make it clear
that European businesses and citizens operate under
European privacy laws, and that EU institutions can
enforce their own laws,” she asserted in a blog on
her party website. She suggested that EU subsidiaries
of US parent companies are breaking European law
by meeting Patriot Act requests, and that while these
subsidiaries are operating in Europe, EU law must
take precedent.
Maugham doesn’t see the balance of power tilting
quite so heavily in the direction of the US.
“The UK government as well as most EU member
state governments can also go to court and get a
subpoena to access data from any organisation over
which they have jurisdiction,” the lawyer pointed out.
“So while the focus is on the US Patriot Act,
most EU member state governments have very
similar powers.”
pg9

The proliferation of datacentres around the world
has made the Cloud not only accessible, but also
affordable in the process. However, the issue of data
sovereignty, the location of where the data is stored,
has been an inhibitor.
In particular, data sovereignty has been a sticking
point for governments and their data, but as APC by
Schneider Electric Pacific vice-president, Paul Tyrer,
points out, many highly regulated organisations, such
as those in the financial sector, are also concerned.
“The risks and benefits of controlling your own
datacentre versus outsourcing to a co-located
provider have been debated by the industry in detail,”
he said.
According to Zettagrid general manager, Nicki
Pereira, the hesitation by government to delve head-
first into the Cloud can also be attributed to the
relative newness of the technology.
“The transition to the Cloud is still in its infancy
and there are many unknowns regarding data
sovereignty,” he said. “The lowest risk option is to
specify that data should remain under Australian
sovereignty prior to any adverse situations arising.”
As such, Pereira expects that governments want
the ability to “step in” in the event that something
should happen.
Who watches the
datacentre?
By Patrick Budmar
Working for the man
Because of the data sovereignty issue, it has meant
that datacentres have had to be established locally to
meet the demands of governments operating in the
region. However, Verizon Business Asia Pacific Cloud
and IT solutions practice manager, Ray McQuillan,
points out that that the localisation of stored data is
not the only attraction for governments to work with
local providers. “From a network perspective, latency
is a major factor attracting governments to choose
local datacentres,” he said. “Having performance of
their systems nearby, and not having to worry about
being thousands of miles away worrying about
issues impacting user experience, is a decisive factor
for governments.”
The other benefit that McQuillan sees in having
data onshore is that it gives them the assurance that
their business is being conducted domestically and
within reach.
“Scalability and feet-on-the-ground also allow for
deeper relationships between them and their local
providers,” he said. “It also provides a face-to-face
accountability and a compelling story around disaster
recovery and business continuity.”
Additionally, if a local provider has a “critical
mass of customers nearby,” McQuillan sees this
pg10
as providing another layer of reassurance to
governments, which allows for “greater confidence in
the chosen local provider to deliver its services and
that it will be there for a long time.”
Having strong local security certifications, such
as ASIO T4, DSD HP, and PCI DSS, is something
that Earthwave founder and CEO, Carlo Minassian,
sees as being essential in attracting work from a
domestic government. In particular, Minassian cannot
understate the importance of the “human factor” and
physical proximity.
“It matters that a government agency can see
where their data physically resides, that they can visit
datacentre sites, get to know the people delivering
their services and have access to senior engineers in
their time zones,” he said.
Cloud concerns
Just because a datacentre is located locally does
not mean that governments have no other issues to
be wary of. In fact, Victorian Privacy Commissioner,
Anthony Bendall, recently discussed some of the
security concerns that he saw with Cloud computing.
What stood out for Equinix Australia country
manager, Tony Simonsen, were the concerns Bendall
had beyond the obvious concerns of lack of control
over stored data and privacy at overseas Cloud
service providers. “When government agencies
consider moving information and services to the
Cloud, Bendall felt that questions of data security,
accountability in the case of a data breach, and
differing privacy laws needed to be addressed,”
he said.
But why is the government so sensitive about
its data? HP South Pacific Government chief
technology officer, Scott Cassin, sees it coming down
to avoid compromising citizen data and critical or
sensitive information.
“Security vulnerabilities may reside or infiltrate
at the system, application and code levels,” he
said. “Thus, Australian government agencies need
to consider if datacentre services meet Australian
national security standards.”
According to Cassin, these standards are quite
thorough and extend to security clearance of
personnel, the physical security of the site and
building access controls, and information security.
“The Australian government defines these standards
through the Information Security Manual, as part of
its overall Protective Security Policy Framework,”
he said.
Network security, performance, availability and
reliability are all key factors that governments may
consider when regarding offshore services, but Cassin
warns that Australian government agencies should
first understand the legal implications of this before
pushing ahead.
“The law of the country where the data resides will
take precedence regardless of Australian requirements
or laws,” he said.
pg11
Securing sensitive data
In additional to physical security, datacentres are
also getting attacked electronically via external hacks.
F5 Networks Australia and New Zealand managing
director, Kurt Hansen, sees the cyber attacks on
datacentres not just being at the network layer
anymore, but distributed denial-of-service (DDOS)
attacks targeted at the firewalls that protect them.
“We’re seeing an increasing amount of attacks on
Web services and on the application layer,” he said.
“That is what has driven us to have network, DDOS
and a datacentre level protection.”
What Hansen is seeing as the issue now is that the
attacks are occurring at a Web application level, and
that has become a “real concern” for governments.
“Enterprises have been putting their core
applications online for many years, but governments
only started a few years ago,” he said. “But as they
put more and more of their processes online to cut
operational costs, those processes and information
they want to share with customers can now be the
subject of attacks at an application layer.”
The increasing sophistication and the frequency
and diversity of attacks has meant that traditional
network firewall protection of datacentres is seen as
somewhat outdated and ineffectual.
Hansen compares this situation to the olden days
when a moat would be installed around a castle to
keep attackers out, with a drawbridge over the moat
to let people in and out.
“But now the attacks are coming in from the air,
so the drawbridge and the moat don’t help you
anymore,” he said. “You still need the drawbridge
and the moat in the datacentre, but you also need air
defences now.”
In the past, Oracle Australia government,
education and health applications general manager,
Ian McAdam, has seen local regulations around
data sovereignty somewhat hindering public and
financial sector customers from moving ahead with
Cloud computing.
“Organisations worldwide have ranked IT
security as one of their top priorities as increasingly
sophisticated attacks, new data protection
regulations, and most recently insider fraud and data
breaches, threaten to disrupt and irreparably damage
their businesses,” he said.
However, the evolution of the industry as a whole
has meant that providers are able to overcome their
concerns and meet specific demands through robust
Cloud solutions hosted at local datacentres.
As such, the providers that McAdam feels are the
most successful are those which “uniquely safeguard”
a customer’s information throughout its entire
lifecycle and help organisations achieve “security
inside out”.
pg12