Let's talk

Safe Harbour: plotting a compliant course

18 March 2022

Last month I blogged about the demise of the Safe Harbour agreement, and the spotlight that it's thrown on some of the issues with cloud provision. Now I want to look at what the death of Safe Harbour means for solutions providers such as Ideal, and for our clients.

For us, it's always been important to only recommend and implement cloud solutions where they're absolutely appropriate. And here's the funny thing - the most recent statistics I've heard suggest that only about 10% of business cloud use is for native cloud apps - i.e. where the internet is your OS. Some 20% use the cloud for its elasticity, whereas 70% use it simply because it's ISE (Infrastructure Somewhere ElseTM).

That's a clear majority of users giving up full control of their data for flexibility and location advantages which aren't unique to the cloud: in other words they could be delivered by alternatives such as co-lo, without the attendant compliance risks.

In practice, the best solution is often likely to be a hybrid between hosted or co-lo and cloud services, where the former provide a secure and compliant environment for sensitive data, while the latter can be exploited to the full, or at least for its flexible service and cost models. In this hybrid environment, it's incumbent on solutions providers like Ideal to help with data migration, and the manageability and secure connectivity between the different environments.

For customers, on the other hand, it's time to ask cloud service providers some fundamental questions:

  • Where will our data be located? It's an obvious question, but the answer needs to cover primary data stores, backups, replication and archiving. A high availability service-level agreement may mean that replications are stored in non-compliant regions.
  • Will our data be scanned, and what information or metadata will be collected about it? This extends to the use of support tools on the data store.
  • Who within the service provider or third-parties acting on its behalf will have access to our data? There's no point segregating data into the EU-only if US-based support technicians will have access.
  • Will our data be encrypted? It should be. If the provider doesn't do it, you should, and you should keep the keys securely on your own premises.

 If your provider can't tell you, or you don't like their answers, why not call us on 01273 957500, or send us a message.


Image: Naval Surface Warriors/FlickrPlotting_course_by_Flickr_user_Naval_Surface_Warriors.jpg, Creative Commons