Posted by Matthew Newton, operations director at Legal Futures Associate Oosha
One subject I am regularly asked about by our legal clients is whether they should use US-owned ‘public’ or ‘shared’ cloud platforms such as Microsoft’s Office 365 and Azure or Amazon’s AWS.
Usually the questioner is actually asking three questions in one: Am I allowed to use these platforms from a compliance point of view? Is it the best way to access cloud services? And finally, is it the most cost-effective way of accessing cloud?
With the recent announcement in the national press that Microsoft’s new UK data centres are up and running, I thought I’d revisit this subject and reaffirm my clearly defined position on this subject.
So here goes. My answer to these questions in most situations is an unequivocal… Err, maybe, errr, it depends on you really!
What? Not clear enough for you?
Okay, so the fact of the matter is that the aforementioned platforms are absolutely fantastic tools for delivering key services as part of a well thought out IT solution.
Even as one of the few IT providers in the UK with the ability to provide services via our own privately held data centres and private internet network, we still build Office 365 and Azure into many of our solutions. We are in particular huge fans of using Azure as a platform to provide the business continuity element of certain solutions – its pricing model of only charging for cloud servers whilst in use lends itself perfectly to back-up servers that only fire up in the event of a disaster.
However we rarely integrate these platforms into the solutions we provide to our legal, financial and other clients with data protection considerations at the heart of their policies.
One of the main reasons for this is that even with Microsoft’s announcement, thus negating the question of data residing outside of the UK, there is still a great deal of debate and confusion. The uncertainties focus on whether US law gives governmental agencies the ability/right to access data even though it is held in Microsoft’s cloud platform on UK soil.
It has long been held that the Patriot Act (actually a collection of amendments to US law) hands US agencies the ability to access data held on server infrastructure owned by any US-registered company – no matter if that infrastructure resided outside of US borders. This, for much of recent years, meant a reticence for public and private organisations to store confidential data within these shared US-owned clouds.
So is this still the case? Has there been any change in the law?
A recent ruling by a US judge blocked a US enforcement agency from accessing data on a shared cloud platform. This was held up by proponents of these platforms as being proof that data is secure as a matter of fact. However, this is just one ruling that goes against previous patterns and which is itself currently being appealed.
The truth is that whilst the Patriot Act exists in its varied form, there will always be questions to ask on data security. This uncertainty will adjust with the political landscape in the US – if pressures on national security influence the public opinion and US judiciary, or more conservative voices are given power (Donald Trump, anyone?), the laws may potentially give access to governmental agencies.
It is this reason that whilst certain UK public sector organisations or governmental departments have stated their desire to use Microsoft’s new UK data centre, it will only be for non-sensitive data. Classified or sensitive data will remain within UK-owned facilities.
From a compliance point of view, the various regulatory authorities such as the Solicitors Regulation Authority or Financial Conduct Authority simply require data to remain in the EU. Their stance on the use of shared cloud platform is that it is the individual choice of each firm.
Each firm has to decide if their clients are happy for their data to be held on US-owned infrastructure and therefore potentially subject to the Patriot Act and its interpretation at that time, the details of which may be unknown to the client.
For smaller firms or firms undertaking quite focused activities, such as conveyancing only within the legal sector, this all may seem somewhat irrelevant and the potential effect of US law non-existent.
However, for other firms undertaking a myriad of different activities for both personal and corporate clients, it is difficult to assess what the implications are without polling every client to ask what their position is and whether they object to their data being stored in these locations.
Even then, if a firm was certain that all current clients were okay with the use of these ‘public’ or ‘shared’ platforms, who knows what the next potential big client will think? A potential client with international business interests may prefer the reassurance that only UK law will affect them and their data security rights.
So returning to my earlier answer that ‘maybe’ you should or shouldn’t use US owned shared cloud platforms, I can now expand on it and say it’s up to each individual firm, and how they believe their current and future clients would prefer them to act.
From our point of view, we feel for the vast majority of our legal and finance customers. The answer is that there is very little to gain from using US-owned cloud platforms, so why risk it?
From a resilience point of view, the huge investment made in Microsoft and Amazon’s infrastructure should mean that uptime is as close to guaranteed as possible. However, other UK-owned cloud providers with Tier 3 or Tier 4 rated data centres also have fantastic uptime stats.
We at Oosha, for example, had 100% uptime in 2015, as I’m sure did many of our competitors.
From a support and performance point of view, we have complete control over our cloud platform as it operates across our own network of data centres and is serviced by our own internet network that utilises infrastructure installed and maintained by multiple carriers for resilience.
With the US-owned shared platforms, we and other solution providers have to communicate via web-based support teams to get answers on support questions related to services used by our clients. This is a process that can frustrate clients when they are looking for a simple answer immediately to a performance-related issue.
And from a cost point of view, we are finding that for core solutions or ‘production environment’ solutions, cost savings are either negligible or non-existent. Only for services that operate in certain circumstances – such as back-up, disaster recovery or business continuity – can significant savings be made, due to pricing models that are based on usage.
So once again, although my answer to the question of using Microsoft 365 and Azure or AWS is deliberately vague and immediately puts the emphasis back on to the clients, I do think there is very little clear benefit in using them – so why risk it? But ultimately, the decision is yours.