Microsoft and AWS set sights on the UK: But will regional cloud data centres resolve data privacy concerns?

In the past week the two largest cloud providers - Amazon Web Service and Microsoft - have pledged to build data centres within the UK.

Aside from offering benefits for UK customers, such as lower latency, it is clear that the announcements are intended to help address renewed concerns from business around data sovereignty and privacy, particularly in the wake of the European High Court's recent decision to scrap the Safe Harbour agreement.

But will the creation of new cloud facilities within the UK mean that business can now be sure that data will be stored in the country, and kept safe from prying eyes? See also: What is the Safe Harbour agreement?

Both AWS and Microsoft expect to have the data centres up and running next year, joining other providers - such as Rackspace and IBM Softlayer - with cloud facilities located in England.

Last week, AWS - which already has large number of UK customers, including the BBC and Unilever - announced its move into England via CTO Werner Vogels' blog.


And, at the Microsoft Future Decoded event in London this week, CEO Satya Nadella revealed plans to "build the most hyperscale public cloud that operates around the world with more regions than anyone else", providing its Azure infrastructure as a service platform and Office365 software as a service. See also: Microsoft Azure vs Amazon AWS public cloud comparison: Which cloud is best for the enterprise?

AWS and Microsoft data centres: Will data be kept in UK?

Unsurprisingly, much of the discussion since has centred around the ability of the respective companies to keep sensitive corporate and personal data on these shores.

Microsoft was keen to highlight the data residency benefits for customers in the UK. Speaking to the BBC about the UK plans, Microsoft's executive VP for cloud, Scott Guthrie, promised that its cloud customer data "will never leave the UK, and will be governed by all of the local regulations and laws".

And both AWS and Microsoft's plans were given further credence with strong backing from senior public sector officials: government chief technology officer, Liam Maxwell, and Ministry of Defence CIO, Mike Stone, who said the department is planning to become a customer of the Redmond firm's cloud services.

However, the situation is complex. Microsoft's court wrangling with the US authorities - which are demanding emails held on servers at its Irish data centre be handed over - has shown the cloud provider's willingness to push back against such attempts. But it also highlights the intentions of the US government to access data held by companies which are headquartered within its shores.

While AWS and Microsoft’s data centre plans are “intended to be a defence against legal attempts to compel access to data in foreign data centres”, according to Forrester Research analyst Paul Miller, the announcements will not “will not completely remove the risk” that a foreign government can attain information held on domestic servers.

AWS and Microsoft cloud data centres: Who can access corporate data?

This is only part of the problem businesses face in keeping data secure, and privacy is the “bigger issue”, says Miller. As Edward Snowden has shown, the ability of security agencies such as NSA and GCHQ to access data means that privacy is a much wider concern and cannot be resolved with regional data centres.

According to Quocirca analyst, Clive Longbottom, the recently resurrected ‘Snoopers’ Charter’ - is evidence of this, and cloud customers should still be considering who can access information.

“Data sovereignty and data security against governments is a complete moot point when you look at what our government is trying to push through at the moment,” he commented.

“This essentially says that vendors must allow access to any data at any time to the government, and must even provide backdoors which they are not allowed to reveal even in a court of law. It is open hunting season really.” See also: Draft Investigatory Powers Bill: What you need to know

Furthermore, from a technical perspective it is very difficult for a cloud provider to ensure that information stays within one region.

“It is absolutely impossible [to guarantee cloud data will reside in one place,” says Longbottom, “and all the cloud vendors are being very lax about how they are messaging this.”

He adds: “The only way that you can do it is to say 'yes, we will set up completely individual pipes between the data and every single access device that touches that data and we will make sure that that no caching is used, we will make sure that anything is flushed as the session ends. And the cost would be too high and the performance would be too low.”

How concerned should businesses be?

So with all the fears around data snooping, how concerned should businesses really be about moving information into the cloud?

Forrester’s Miller says that “only a relatively small proportion of cloud-based workloads really face significant data protection and data residency issues”, and for those, the creation of UK data centres “will be a comfort”.

He adds that, while there are legitimate concerns around America’s potential ability to demand information from UK servers, “it's only a small risk, and it would be unwise to get too hung up on it”.

For the most part, the UK data centres will address real legal barriers to transferring data overseas, and make life easier for customers who simply think they cannot or should not transfer data to other countries, he says.

And, aside from the cost and flexibility advantages of public clouds, entrusting business data to the likes of Microsoft and AWS has its benefits over on-premise data centres with regards to security.

“People are still server-huggers,” says Quocirca’s Longbottom, “they believe the only way to have total security of information, applications and, hardware, is to own it all and to be able to take the CEO down the server and say ‘this is where we keep everything’.

This is a “dangerous perception” because the chances of securing information within an on-premise data centre “are far less than the likes of Microsoft or AWS which employ hundreds of people who are working on security”.

How can corporate data be protected?

Ultimately it is difficult to ensure that any data travelling over public networks can ever be totally secure. And even those holding data in private data centres are subject to disclosure warrants. But for the vast majority of data stored by businesses this is not likely to be an issue.

According to Longbottom, the best way for any organisation to ensure data is safe is to improve security practices, such as through encryption and redacting sensitive information so that it cannot be read by anyone breaking into a network.

“It is about looking at how you deal with the data, not where the data is,” he says. “If you can take an information-centric approach to security you no longer have to worry about where that information is, because if a person shouldn't have access to it they will not have access to it."

He adds: “If all you are worried about is whether this is in Birmingham UK or Birmingham Alabama, if someone manages to break through and get hold of that data it makes no odds where it was in the first place."


Copyright © 2015 IDG Communications, Inc.

9 steps to lock down corporate browsers