Data Protection In The Cloud: The Facade Of Vendor Trust Is Crumbling
Many non-US organizations operate under privacy regulations that require that customer data remain within their countries or jurisdictions. In response, US cloud providers build data centers and host their applications inside countries that they're selling their solutions to.
However, all this is nothing but theater. These requirements are far more useful as a local jobs program rather than as an effective privacy practice. I've warned about this before: Any US vendor is going to be handing over data under a US subpoena, and most certainly under a National Security Letter. It doesn't matter if it resides in a data center on US soil, in the EU, or even in outer space.
So it's refreshing to see a vendor openly admit this, as Microsoft has.
Maybe now that we're all starting to be honest with each other this issue will gain some traction, and vendors will begin to incorporate some real data protection measures into our cloud environments, such as encrypting the data in such a way where only customers – not the cloud providers – have the keys. I suspect we'll start to see such requirements begin to show up in a lot of RFPs.