COULD YOUR DATA BE BREAKING THE LAW?
As we move further into the information age, data is increasingly recognised as a precious asset requiring layers of protection and increasingly bound by legislation. Patents, copyright, intellectual property legislation and growing issues around “sensitive data” mean that the transmission of such data could become as risky as the smuggling of gold or diamonds. “How can cloud computing thrive in such an environment?” asks James Walker, President CloudEthernet Forum.
In October 2012 a House Intelligence Committee report raised allegations that telecommunications equipment from Shenzhen-based Huawei Technologies Co. might enable China to spy on the US and even disrupt power grids, financial networks or other critical infrastructure. As a result of this effective blacklisting Huawei lost important business from a key market. Since then it has been revealed that the National Security Agency (NSA) persuaded some US technology companies to build “backdoors” into security products, networks and devices to allow easier surveillance by the NSA – raising fears that US technology sales could suffer a similar loss of business from overseas markets.
China Daily retaliated by describing US companies, including Cisco, as a “terrible security threat” and some overseas governments began expressing the same doubts about U.S. technology as were expressed about Huawei. According to the Wall Street Journal, India may ban e-mail services from Google and Yahoo, Germany is calling for the use of its own national Internet and e-mail services and Brazil is questioning whether overseas companies could be violating its privacy laws. In November Cisco was already reporting delays to networking equipment orders and Forrester Research has suggested that the disclosures could reduce U.S. technology sales overseas by as much as $180 billion, or 25% of IT services, by 2016.
Cloud services in particular could take a hammering from the NSA’s tarnishing of the reputation of the very national business it claims to be defending. German confidence in the cloud has suffered according to a PricewaterhouseCoopers survey suggesting that 22% of German companies now rate the risk of using cloud services as “very high” – before the NSA leaks the figure was 6%– while 54% rate the risk as high or very high.
Thirty-eight percent said they were now looking at email encryption and 25 percent at encryption of mobile communications while 15 percent want to switch to European tech providers that won’t cooperate with American or British intelligence services.
A report by the Information Technology and Innovation Foundation suggests that US cloud service providers could lose up to $35 billion a year if overseas customers start avoiding them. Other opinions have suggested that these predictions are exaggerated, that business is less in awe of the damage that can be caused by blundering spooks and more concerned about the risk from cyber criminals and competitors.
Caveat vector – let the carrier beware
Whether these economic forecasts come true may not be the real issue, so much as the growing awareness that the data super highway is fostering a whole new and diverse population of “highwaymen”. The difference is this: when it was gold and jewels in transit, you knew you had been robbed when the precious cargo went missing; but data can be leaked with no apparent loss. This makes it doubly important to choose the safest routes, and the safest harbours, for critical or sensitive data.
Indeed, some companies have reacted to the above concerns and are already asking for written assurance that their data be stored outside the US. These include a Canadian pharmaceutical company, a government agency and a UK grocery chain according to Rook Consulting, an Indiana-based security-consulting firm responsible for managing the segmentation to keep the data out of the US.
More generally there is concern about the non-deterministic nature of Internet and Ethernet traffic and the resulting risk of using public, or even certain private, cloud services. If the data you are processing in the cloud happens to be diverted via another country with different standards of privacy legislation then nobody need be the wiser – unless it turns out that some of that data has been “leaked” to a foreign intelligence service or criminal gang and your customers, or their government, make a claim against you for not protecting the privacy of their data.
This problem is not new, what is new is the scale and scope of the problem. If a single large carrier, such as my own company, Tata Communications, is carrying all your data, then it will most likely have mechanisms across its network to define Classes of Service (CoS) for different classes of data and so be able to enforce suitable levels of protection and privacy, and that includes restricting traffic to specific routes across the network. Note that these requirements can be quite complex: for example the customer who expresses a strong preference for the way data is routed under normal operating conditions, but recognises that, when the going gets tough, it is more important to ensure certain data’s arrival than the how it gets there, while other ‘sensitive’ data would be better lost than take a dangerous route.
But what would be much more problematic would be to extend this level of control across two or more service provider networks. We do not yet have common global standards for end-to-end privacy and security and certainly not in such detail. Whether the networks are linked to extend coverage, or run in parallel to provide redundancy, the providers who are probably using different technologies do not yet have common standards to ensure consistent protection.
Is SDN the answer?
SDN could play an important role in resolving these issues. SDN provides a distinct control layer and a central controller that would enable packets containing different types of data to be forwarded according to specific rules – such as not crossing international boundaries, or being restricted to preferred routes unless specific situations arise.
This looks like the complete answer, until you dig a bit deeper. Firstly it would add a massive computational burden to the control system. Once we start routing traffic according to the content of each packet in the already dynamic SDN network environment, then we are taking the technology way beyond anything currently possible. Then consider what happens when you route data between providers: Tata would not want its SDN to be subject to a Verizon controller, nor vice versa, so we would need a very complex handshake agreement between the two networks to maintain consistent service.
A global solution has to allow for any number of possibilities. One customer working with a single provider might be able to thrash out a set of standard agreements covering an agreed set of classes, such as “Company Confidential”, “Embargoed until X”, “Customer Confidential” etc, and whether these types of data can be accessible to specified national and foreign government agencies – but defining universal standards to allow for such detailed policy-based networking becomes a massive undertaking.
If the entire world becomes connected by a single WAN subject to a single global controller, then a super-powerful SDN could provide the solution. But that would probably require a single world government to make it possible – and that would mean that all these problems of diverse legislation and juridical anomalies would have already been resolved!
The role of CEF
The CloudEthernet Forum (CEF) does not have a solution, but it is rapidly gaining a clearer understanding of the problems’ magnitude, their evolution, and the need for a solution.
Datacenters used to use a range of technologies for different application-specific networks: eg Fibre Channel for storage services, InfiniBand for high-performance computing, and Ethernet for basic LAN applications. Today, however, higher speed Ethernet is taking over as the unifying technology in the datacentre and Carrier Ethernet is extending it across the WAN.
So it is appropriate to ask what new Ethernet developments and standards could best support the rapidly evolving needs of cloud computing – just as Carrier Ethernet was evolved to meet the needs of the WAN. The CEF has already identified five fundamental areas of concern – Virtualization, Automation, Security, Programmability, and Analytics – and published a White Paper outlining these areas while working groups are being formed to address specific issues.
As suggested above, individual providers can get together with their customers to thrash out working solutions to the problems we have discussed, but this will do little to solve the global problem of ensuring suitable protection for different classes of data across diverse networks and jurisdictions. As in the case of Carrier Ethernet, it requires a concerted effort from many different cloud stakeholders and not just the providers.
How does this impact your business?
In the past this problem was confined to specific areas such as healthcare, with private individuals’ medical data, or banking, with sensitive financial data. But it is becoming increasingly relevant to any large business.
For example, until recently Amazon cloud customers were required to sign up for a particular geographic area, and if you wanted support for a second region you had to sign up separately and be responsible for the connectivity between the two. They are now offering a service whereby you sign up for a single cluster and, should it fail, they will pass you over to another cluster via Amazon’s own network. But does the customer know where Amazon will be routing the traffic, and how might it impact legal agreements covering the data? The customer will now want to communicate not just with Amazon’s servers but also with Amazon’s network to make sure that all those different classes of data sensitivity are recognised during the transition.
Then there is the spread of legislation to contend with. Banks, for example, are now required by government to collect and keep certain types of data to assist them with tracking money-laundering operations. If that data gets lost, or into the wrong hands, the bank would face stiff penalties or itself come under suspicion.
What is needed is a set of common standards so that any organisation can classify its data according to value, criticality, personal or juridical sensitivity, whether it is also time sensitive and so on. Then carriers will be able to customise services appropriate to every need, as well as creating standard packages such as “Healthcare Standard A”, “Personal Data Gold” or whatever.
Achieving this requires a lot of work, but it also requires initial input from everyone whose business could be affected. In this article I have given a broad outline of issues that could touch every aspect of business – how will they impact your own operations? Do you foresee specific problems that I have not touched on? Is this so important to your company’s future that you would want to help shape future cloud services to make sure its needs are accommodated?
If so, you should join the CEF and make your voice heard. It is still early days, and those who are signing up are already helping to shape decisions and lay the foundation for future cloud services that will meet every business need as well as future legislation. To find out more about the CEF, please visit www.CloudEthernet.org