Multiple Perspectives on Security

Security Journal

Subscribe to Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Security Journal Authors: Elizabeth White, Yeshim Deniz, Pat Romanski, Maria C. Horton, Liz McMillan

Related Topics: Cloud Computing, Security Journal

Blog Post

You Don’t Have to Be a Tech Giant to Navigate the End of Safe Harbor By @ttul | @CloudExpo #Cloud

A sovereign cloud strategy mitigates privacy restrictions that prevent Europeans from using services

For the last 15 years, companies operating in the United States and Europe have benefited from Safe Harbor - a streamlined process that allowed U.S. companies to transfer and store European citizens' data in the U.S. provided a level of privacy protections were adhered to according to outlined European standards. Recently, however, an Irish court has ruled, in a case brought by an Austrian citizen concerned about how Facebook was handling his private data, that the Safe Harbor agreement is inconsistent with European privacy law, as it did not require all organizations entitled to work with EU privacy-related data to comply with it. The court's decision means Ireland's Data Privacy Commissioner must review the merits of the case and make a final determination about whether Facebook is allowed to transfer private data from its European users to the United States. In the mean time, companies that had relied on the Safe Harbor process can no longer do so. In today's data-centric business world, the ruling comes as a blow to thousands of companies operating at the global scale that are now faced with navigating new, complicated individual standards - across multiple regions.

Tech giants like Microsoft, Google, Amazon and Netflix have assured customers that the ruling won't impact their ability to continue to provide services as usual. However, the same isn't necessarily the case for smaller players that have relied on Safe Harbor to grow their business and cultivate an international customer base. In fact, The Internet Associate, an alliance made up of many some of the biggest names in tech, stated that while large enterprises have put the proper mechanisms in place to prepare for any end of Safe Harbor, "smaller companies and consumers" across both continents could "experience significant challenges going forward."

Now the question for these smaller companies is "how do we continue to operate globally and comply with more than 20 disparate standards, when we lack the ability to allocate the same level of time and resources that large companies have." One potential solution companies may initially consider is coding - having programmers rewrite code that treats users differently based on IP addresses in order to meet compliancy standards by region. While it would address the individual need to meet privacy standards specific to each nation-state, the solution stands to cost tremendous amounts of time, money, and mental energy.

Novatrend, a Swiss based web-hosting company, is subject to strict privacy compliancy laws due to their location. Swiss data privacy law makes it difficult for Swiss companies to outsource data processing to foreign-operated services. In 2014, Novatrend was looking for a service provider to handle its outgoing email delivery (small providers often outsource email delivery because it's a challenging service to offer in-house). But Swiss data privacy law prevented Novatrend from sending its client's email outside of Switzerland for processing. This situation is one similar to that which many service providers will now encounter with the end of Safe Harbor. Novatrend initially contemplated outsourcing email delivery to Canada-based MailChannels; however, the physical location of MailChannels email processing infrastructure in the United States presented a problem.

To solve the problem, MailChannels set up a small "sovereign cloud" of email processing servers within Novatrend's own data center in Switzerland. With this small change, Novatrend was able to send their email through the sovereign cloud within their own data center, where it is processed using MailChannels' proprietary email delivery and anti-spam technology. As a result, Novatrend now gets the exact same benefits it would get if the data was being processed in the United States, while maintaining its adherence to Swiss data privacy laws, since the email data is kept within Switzerland while being processed.

Many non-European based cloud application providers and Software-as-a-Service providers (SaaS) should probably consider a sovereign cloud strategy as a way of mitigating privacy restrictions that prevent Europeans from using their services. They may not have to move everything to Europe, maybe just a small part - the part of an operation that actually stores and processes European citizen's data. For many applications, that means just moving a database to Europe, but keeping the command and control aspect hosted in their country of origin. The sovereign cloud approach enables providers to continue operating globally without heavy infrastructure investments, while reducing the potential of violating privacy laws with the end of Safe Harbor - and any other changes in privacy coming down the pipe.

More Stories By Ken Simpson

Ken Simpson is the co-founder and CEO of MailChannels, the world’s foremost provider of outbound anti-spam and email delivery technology. He also runs the botnet and web abuse sub-committees at the Messaging Anti-Abuse Working Group (MAAWG).

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.