6 August 2013 - by Thom Hooker

Is the NSA reading your mail?

In technology, data sovereignty refers to the location your data is stored and has been a core issue relating to cloud service adoption even before now. With the recent revelations about the NSA and their snooping activities, companies should be more concerned than ever about data sovereignty. In the past, when organizations ran their own email servers, business owners, CIOs and IT managers knew where their data was located. In this era of commoditized cloud computing many of the large global players in this space prefer that you don't ask where your data is stored. In SMX's case we've always been very open about deploying email infrastructure in the same jurisdiction that we sell our services.

Two of the most important questions asked when selecting a cloud service provider are:

  • where is my data located?
  • can I trust my cloud provider?

Data sovereignty is currently a hot topic, thanks in part to Edward Snowden exposing the NSA's clandestine electronic surveillance and data mining program PRISM. The ability to deploy our data-centers locally has been one of SMX's strengths since we first started selling email security services in 2005. This decision was driven by the design of our platform which enables SMX to efficiently deploy multiple data-centers around the world, all managed from our headquarters in Auckland, New Zealand. Our argument was that if we can keep our customer's data local to them, they and the people they communicate with will have a better user experience. In parallel to this we can also satisfy customer concerns around their data falling into the wrong hands and, in some of the jurisdictions SMX deploys in, international data costs are a real concern so reducing cost has also been an argument for customers to use our services.

Recently we've seen those design decisions bearing fruit with the revelations about the NSA's spying programs and the ramifications for non-US companies. For example, Britain's The Guardian revealed the lengths Microsoft went to to cooperate with the NSA by:

  • providing the NSA with a way to view encrypted chat sessions on the Outlook.com website
  • giving easy access to Microsoft's cloud storage service Skydrive 
  • working with the NSA to provide access to Skype video calls (Skype audio calls were already available to the NSA).
Microsoft have come out publicly to say that they "only ever comply with orders about specific accounts or identifiers" however the fact that the NSA has boasted about the amount of traffic being collected via Skype, for example, or the ease with which they can read "encrypted" Outlook.com chat sessions tends to indicate Microsoft aren't telling the truth.

Contrast Microsoft's actions with those of Yahoo, who have been subject to the same requests from the NSA as Microsoft. In Yahoo's case however they decided to fight the NSA's requests. Yahoo have recently won a fight with the US government to unseal a court decision dating from 2008 forcing Yahoo to hand-over customer data to the NSA's PRISM program. So not all companies were as happy as Microsoft to assist the NSA with their snooping programs.

You might be asking yourself "so what does all this have to do with my company?". Well, would you trust your data to a company that so willingly hands access over to a foreign government? And even if you don't have anything to hide, the fact that a huge number of companies share information with the US government in a 2-way relationship means that your company's confidential data could easily make its way to one of your competitors.

These are the (serious) privacy issues involved in selecting an off-shore cloud provider; then there are the support issues. Are you as a business owner, CIO or IT manager able to get hold of your cloud provider for support at 3am on a Sunday morning if you need to? Or will you be left on your own to do support for someone else's application?

How about SLAs for this service? Picking on Office 365 for a minute, they currently offer an uptime SLA of 99.9%, which is basically a day a year when you won't have access to your email. Not that big a deal I guess, but look a bit further at the SLA document and you'll see that if Office 365 is down for 1% of the time in a calendar month (i.e. 8 hours, or 1 whole day) you're only entitled to a 50% service credit. And if Office 365 is down for 36 hours or more  in that month (<95% availability) then you're entitled to a 100% service credit.

The question you'd have to ask yourself now is "Is it worth the risk?"

By choosing a cloud provider located in your region you can cover off one of the most important questions raised by cloud customers: where is my data stored? You can also minimise the number of opportunities for you to lose access to your data due to network problems, as well as limiting the risk of your data falling into the wrong hands. The trust question is much more complex but anyone considering out-sourcing their IT requirements to the cloud needs to fully trust their provider - in the eyes of your customers and partners your IT performance is directly related to the performance of your cloud provider.