Cloud vs On-Premise – Article 2
What are the relative governance risks of cloud vs onsite IT systems?
This is the second of six articles that analyse the risk around cloud and on-premises systems. As I stated in the first article, my view is that the caution many people adopt when ‘going cloud’ should be applied as much to on-premises systems to obtain the best risk profile for a business’ information systems.
In the first article I stated that we could break down the issues into four main categories: governance, confidentiality, data security and resilience. In this article we discuss the first of these – governance.
As I wrote in the first article, we can break governance issues into data sovereignty and governing jurisdiction.
As discussed above, data sovereignty relates to the location of data. The location of data is important as different countries prescribe different legal protections to data stored in them. Protections vary widely from country to country. Also, sovereign data protection may only extend to the citizens of a country. For example, data owned by foreigners and stored in the US may not be subject to the constitutional protections afforded to US citizens’ data.
Cloud services may store data across many countries. As cloud services usually store multiple copies of customer data (for resilience), it’s possible that information stored with a cloud service could fall under multiple widely-varying data legislation. Google, for example, stores its Google Workspace data in 18 different countries across the world, from the USA to Finland to Indonesia.
Ideally we would want our data stored in Australia so that it falls under the protections of Australian law which, although many not the most protective regime, at least is well-known and understood.
So, we will assess data sovereignty by asking the question: ‘Can my data be stored exclusively in Australia?’
Governing jurisdictional issues arise as most cloud service providers are based outside of Australia and usually require their customers to agree to have their agreements governed under foreign, predominantly US, laws. For Australians this raises a convenience and cost issue as any dispute needs to be litigated overseas. It also subjects agreements to foreign laws that may not contain the same level of consumer protection as Australian law.
Data sovereignty and governing jurisdiction are clearly not issues in an on-premises environment. Data on premises is stored in Australia. For firms that outsource their IT support, they do so with local firms and these agreements are governed under Australian law.
In contrast, these issues do arise with cloud services, particularly so with consumer services, such as Dropbox. The consumer Dropbox, according to its terms of service, stores its data ‘around the world’, giving a user no control over where their data resides. Dropbox’s business offering is better, allowing file storage to be limited to Australia, but file metadata and other products, such as its ‘Paper’ product, remain located in the US.
Google’s Workspace business offering gives no option to nominate where data is to reside. A Workspace subscriber must accept that their data will reside in any of the 18 locations where Google has data centres.
Microsoft 365 allows its customers to specify that all data, including email, file storage, SharePoint and Teams data, be located in Australia.
All of the cloud services reviewed contain jurisdictional clauses that govern agreements under US law. It is worth noting that some other providers, such as Xero for example, have their terms of service governed by Australian law.
Table 1 Governance
(Location of data)
|Dropbox||‘All around the world’||USA|
|Dropbox Business||File data in Australia, metadata and ‘Paper’ data in the US||USA|
Clearly the on-premises solution wins out in this category. Data sitting in a business’ office will be located in and governed by the jurisdiction the business is most comfortable with. The big cloud providers are all based in the US so while some, such as Microsoft, allow for location of data in Australia, terms are still governed by US Law.
On-premises wins this round.
In the next article we discuss confidentiality.
For more information and expert advice, ask to speak to Mark Ferraretto at Ezra Legal on (08) 8231 6100 or email firstname.lastname@example.org
For information and articles on the range of IT and data privacy advice and services that we provide, head to:
- Ezra Legal – Information Technology & Data Privacy
- Ezra Legal – The Risks of Cloud Based Document Delivery Services in Commercial Law and Contractual Performance
Solicitor – Information Technology & Data Privacy