Dealing with international cloud security

A blog post by David Linthicum, managing director, chief cloud strategy officer, Deloitte Consulting LLP

Cloud computing is not just about dealing with systems in a single country hosted by a single cloud computing service. It’s about many distributed systems residing on public clouds that must be managed as if they were clustered together.

Security is a primary challenge for the inter-country use of cloud computing. Each country has different laws and restrictions, including codes that govern the use of data, such as General Data Protection Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPAA), as well as restrictions on the types of technology that can be leveraged.

Take encryption, for instance: “The Bureau of Industry and Security (BIS) significantly changed the Information Security section of the Commerce Control List (Category 5 Part II) in August 2017 as a result of the 2016 Wassenaar Arrangement decision to rewrite certain export Commodity Control Numbers (ECCNs). ”The plain english version of this means that people should be careful where we use certain types of encryption technology. In some places outside of the United States, it will be considered illegal.2

That’s just one example of hundreds of security issues to consider when doing cloud security across borders. Three key issues include identity services that span countries, leading practices in authentication approaches and technologies that don’t violate country-specific laws, and finally the ability of the cloud provider itself to operate within a specific country.

So, how should you approach these challenges?

First, understanding the legal issues for each country where you plan to or already deploy cloud computing is critical. This typically means working with your public cloud provider to figure out what can be done to provide security, and issues that you need to consider.

For example, the handling of personally identifiable information (PII) data varies greatly across borders. From GDPR in Europe, to the new Australian privacy laws, they all must be factored into the legal use of PII data in the countries where the data originates or may reside.

Second, what are the differences in security technology allowed in one country vs. another country? As with the encryption example above, you’ll need to understand that all technology, including security technology, may not be exportable.

The use of the public cloud brings a twist to this issue considering that the technology may actually be hosted in the United States, and the data just transmitted to another country. The bottom line is that the legal issues are still being figured out, and many of the laws are vague and may be left to interpretation.

Finally, there should be a comprehensive plan. There is a lot of progress in providing more effective ways to create systems that span the world. However, the complexities of local laws and customs means that this problem should be approached methodically, and with purpose.

¹ https://www.gamespot.com/forums/system-wars-314159282/update-china-is-2-country-for-gta-v-pc-sales-valve-31982674/
² https://www.learnexportcompliance.com/webinar/encryption-export-controls-2017-update/