Cloud security

The Swedish Corona App, nothing for American clouds, or..?

A colleague came some time ago and said that the reporting around the Swedish Corona App questioned Amazon Web Services (AWS) as host. Not good for an AWS Partner. Based on what I read, some high-pitched screams in that direction existed. But what I found was at least one crucial misconception – storage, some discomfort about cloud, and eSam references of course.

My unscientific summary of what I read is that it is about costs, hasty decisions and a sense of urgency, possible disregard of the Swedish Public Procurement Act, privacy concerns due to storage of health data and eSam recommendations, the suitability of American cloud operators and, some implicit misconception and general discomfort about utilizing the cloud.

My intention is not to review the reporting in this blog post even though I will touch on some aspects related to the suitability of using American cloud providers below, as well. But I start with the storage confusion.

Cloud service does not equal cloud storage

Primarily I address an implicit assumption many outside our industry often make. That you always are forced to store your data in that cloud when you use a cloud service provider such as AWS, Microsoft Azure or Google. This is not true. Data can be stored in the cloud or somewhere else. All depends on the service you use or provide.

When reading the reporting I can see this misconception shines through. It is an implicit assumption we often meet in our customer dialogues as well. My guess is that this misconception comes from the frequent use of cloud based services in our daily life and the discussion about privacy.

Cloud storage optional for SaaS providers. Why not for customers?

When developing a SaaS (Software-as-a-Service) service in a cloud such as AWS, Microsoft Azure or Google Cloud you as a developer can choose where data shall be stored. In short it is a design decision. This opens up for a foresighted SaaS developer to give the customer a choice as well.

It provides an opportunity to differentiate the offerings and have different solutions for data storage as options for the customers. A do-or-die requirement in some industries where data and storage location is crucial. It can be a business blocker to lack this agility for customers in some industries.

In AWS there are several different services and solutions that can be used to provide this flexibility for both the SaaS provider and the customer.

The use of American cloud providers or not?

The other thing I want to comment on is the underlying concern about using AWS as a platform when they developed the Swedish Corona app (RIP?). When reading the reporting it seems like there are two concerns in relation to this.

  1. The fear that data shall be stored on US servers.
  2. The fact that AWS is an American company and therefore obeys to American laws.

Point 1: Mitigated by automatically enforcing Region Blocking to Sweden

It is possible for a SaaS provider utilizing AWS to explicitly limit both the storage and processing to specific regions by using region blocking rules that are applied automatically. In AWS it is possible to limit access to i.e. region Stockholm. And then it is guaranteed that no data or processing of data is performed outside Sweden.

Combining this with the storage differentiation discussed above makes a strong argument for the possibility to use an American cloud provider for sensitive data processing.

Point 2: Mitigated with strong arguments before selecting cloud provider

I have always been a strong advocate for using cloud services and I love the flexibility and freedom given by AWS. Now is that said. Again! When reading the reporting and the concern about using AWS it is clear that the eSam recommendation to public authorities about the risk to use cloud providers that is subject to foreign laws, come into play. The eSam recommendation is about law interpretation and as a non-lawyer I will not step into that area. But one thing is clear. At least for me.

Not everyone agrees with eSam and their recommendations. Both SKR and respected IT lawyers disagree with eSam about the strong guarantees needed for a swedish authority to use non-swedish cloud service providers. This disagreement will most likely end up in court sometime.

What to do?

It is hard to give general advice due to legal implications. But I think a good idea is to consider starting an investigation about the suitability of using large cloud providers for a selective set of data. And carefully document every step in the process up to a decision of which one to use. It is a better way to ask yourself if the cloud is suitable for you, instead of claiming that it is not, based upon fear.

What shall I think when discussing the suitability of cloud usage?

One way is to start reading my blog post where I argue why the question “Is The Cloud suitable for me?” is better than “Is The Cloud Secure?”. It is a  discussion of cloud security from a business benefit perspective –  https://tiqqe.com/is-the-cloud-secure/.

And then it might be of interest to evaluate if a Cloud First Strategy can be something for you. What I mean with a Cloud First Strategy (CFS) is available in my blog post – https://tiqqe.com/we-all-need-a-cfs-you-too. In the post, I argue that it is all about creating a cloud positive mindset.

Kennet Wahlberg

Leave a Reply

Your email address will not be published. Required fields are marked *