F5 and many other partner organisations, as well as representatives from thousands of organisations across EMEA, have just returned from a week in Copenhagen at VMworld. The central theme of the show was around cloud, specifically cloud ownership.
The reasons for adopting cloud services of one form or another remain laudable in principle. In the short-term, however, we see that some organisations know already that they will never make cloud work for them in the current regulatory climate. We are starting to see cloud providers look at industry or geographically or industry -specific offerings in order for the benefits of cloud services to be realised without compromise on how data and applications are stored and secured.
There are some specific roadblocks. The issue of storing personal data in countries outside of the European Union can violate the Data Protection Derivative, or DPD, which complicates the use of cloud-based storage providers that may store data in data centres outside the EU. On top of this, many individual countries within the EC have very strict privacy laws.
There are also concerns that cloud service providers could be forced to divulge private and confidential data to the US government under the provisions of the Patriot Act - interestingly, there is technology in the works that is aimed at anonymising the data stored in public clouds, which may allow an organisation to store sensitive data in a public cloud without infringing EU regulations.
The big question here is whether your organisation can be happy using a US-based cloud provider, when any company with a presence in the US is legally required to respond to a valid demand from the US government for information if the company retains custody or control over the data.
All this opens up opportunity for something that is gradually taking wing in the US and a couple of countries in Western Europe – the notion of community cloud. Geographically bound privacy directives can open the door for a new cloud-based business model: the local cloud provider who only operates a regional cloud storage business within specific geographic borders. This could be a huge opportunity for local cloud providers and could provide a large competitive advantage against the multi-national cloud providers that have difficulty guaranteeing the location of an organisation’s data, and thus adhering to multi-national privacy and protection laws.
The concept can be taken further – the community cloud could be industry-specific. What if, in the UK, financial services companies had access to cloud provision that guaranteed that their data would be stored in ‘acceptable’ locations, and that also stored and secured the data to the same high standards that the industry has to answer to, over and above the requirements applying to ‘regular’ sensitive data?
Consider: an average cloud customer typically cannot visit a cloud data centre and perform an audit on all of their infrastructure components across multiple data centres. Not only is this logistically infeasible, but the audit itself could also violate the privacy of other cloud customers, and thus the DPD, by exposing and identifying private data, as the auditors would have to access the entire cloud infrastructure. But if the cloud provider itself could offer regulatory approval of their service up front: a different story.
We at F5 see ourselves as having a role to play in the Community Cloud, just as we do in all other forms of cloud provision. The F5 platform has the ability to introduce control and allow ‘ownership’ of the cloud in the context of where data is kept and users are directed. Ultimately, F5 can help remove legislation-related objections. F5 offers organisations strategic points of control.
In the context of using cloud services and needing to know where your users are served applications from or where data is stored, F5 provides you with the ability to understand the how, when, and where. You maintain corporate control while still gaining the flexibility and simplicity you demand.