One subject I am regularly asked about by our Legal and Finance clients is whether they should use US-owned “public” or “shared” cloud platforms such as Microsoft’s Office 365 and Azure or Amazon's AWS.
Usually the questioner is actually asking three questions in one: Am I allowed to use these platforms from a compliance point of view? Is it the best way to access cloud services? And finally, is it the most cost effective was of accessing cloud?
With the recent announcement in the national press of Microsoft’s new UK data centres coming online, I thought I’d revisit this subject and reaffirm my clearly defined position on this subject.
So here goes…My answer to these questions in most situations is an unequivocal…Errr, maybe, errr, it depends on you really!
What? Not clear enough for you?
Okay, so the fact of the matter is that the aforementioned platforms are absolutely fantastic tools for delivering key services as part of a well thought out IT solution.
Even as one of the few IT providers in the UK with the ability to provide services via our own privately held data centres and private internet network, we still build Office 365 and Azure into many of our solutions. We are in particular huge fans of using Azure as a platform to provide the Business Continuity element of certain solutions - its pricing model of only charging for cloud servers while in use lends itself perfectly to backup servers that only fire up in the event of a disaster.
However we rarely integrate these platforms into the solutions we provide to our Legal, Financial and other clients with certain Data Protection considerations at the heart of their policies.
One of the main reasons for this is that even with the recent announcements that Microsoft’s UK data centres have gone online, thus negating the question of data residing outside of the UK, there is still a great deal of debate and confusion. The uncertainties focus on whether US law gives governmental agencies the ability/right to access data even though it is held in Microsoft’s cloud platform on UK soil.
It has long been held that The Patriot Act (actually a collection of amendments to US law) hands US agencies the ability to access data held on server infrastructure owned by any US registered company – no matter if that infrastructure resided outside of US borders. This for much of recent years meant a reticence for public and private organisations to store confidential data within these shared US owned clouds.
So is this still the case? Has there been any change in the law?
A recent ruling by a US judge blocked a US enforcement agency from accessing data on a shared cloud platform. This was held up by proponents of these platforms as being proof that data is secure no matter what. However this is just one ruling that goes against previous patterns and which is itself currently being appealed.
The truth is that whilst the Patriot Act exists in its varied form, there will always be questions to ask on data security. This uncertainty will adjust with the political landscape in the US – if pressures on national security influence the public opinion and US judiciary, or more conservative voices are given power (Donald Trump, anyone?), the laws may potentially give access to governmental agencies.
It is this reason that whilst certain UK public sector organisations or governmental departments have stated their desire to use Microsoft’s new UK data centre it will only be for non-sensitive data. Classified or sensitive data will remain within UK owned facilities.
From a compliance point of view the various regulatory authorities such as the SRA or FCA simply require data to remain in the EU. Their stance on the use of shared cloud platform is that it is the individual choice of each firm.
Each firm has to decide if their clients are happy for their data to be held on US owned infrastructure and therefore potentially subject to the Patriot Act and its interpretation at that time.
For smaller firms or firms undertaking quite focused activities, such as conveyancing only within the legal sector, this all may seem somewhat irrelevant and the potential effect of US law non-existent.
However, for other firms undertaking a myriad of different activities for both personal and corporate clients, it is difficult to assess what the implications are without polling every client to ask what their position is and whether they mind their data being stored in these locations.
Even then, if a firm was certain that all current clients were okay with the use of these “public” or “shared” platforms, who knows what the next potential big client will think? A potential client with international business interests may prefer the reassurance that only UK law will affect them and their data security rights.
So returning to my earlier answer that “maybe” you should or shouldn’t use US owned shared cloud platforms…I can now expand on it and say it’s up to each individual firm, and how they believe their current and future clients would prefer them to act.
From our point of view, we feel for the vast majority of our legal and finance customers the answer is that there is very little to gain from using US owned cloud platforms, so why risk it?
From a resilience point of view the huge investment made into Microsoft and Amazons infrastructure should mean that uptime is as close to guaranteed as possible. However, other UK owned cloud providers with Tier 3 or Tier 4 rated data centres also have fantastic uptime stats.
For example we had 100% uptime in 2015
From a support and performance point of view, we have complete control over our cloud platform as it operates across our own network of data centres and is serviced by our own internet network that utilises infrastructure installed and maintained by multiple carriers for resilience.
With the US owned shared platforms, we and other solution providers have to communicate via web-based support teams to get answers on support questions related to services used by our clients. A process that can frustrate clients when they are looking for a simple answer immediately to a performance related issue.
…and from a cost point of view we are finding that for core solutions or “production environment” solutions, cost savings are either negligible or non-existent. Only for services that only run in certain circumstances such as backup, disaster recovery or business continuity can significant savings be made, due to pricing models that are based on usage.
So once again, although my answer to the question of using Microsoft 365 and Azure or AWS is deliberately vague and immediately puts the emphasis back on to the clients, I do think there is very little clear benefit in using them - so why risk it?
Ultimately, the decision is yours. No matter your preference, we would love to be a part of designing, implementing and supporting your new solution – wherever it is to be housed.
If you would like to discuss any topics discussed in this blog post or wish to find out more about the services we provide, please email firstname.lastname@example.org.