“Is this turning into some sort of trade war?” I wondered over breakfast last July at our Catalyst conference. I’d just finished a conversation with a European client who said that he would only consider doing IT outsourcing with a company that had a European presence. He said that sending personal data overseas, even to a vendor enrolled in the US/EU Safe Harbor program, would require too many approvals within his organization.
Cross-border restrictions on personal data, or national security data, or other kinds of data are nothing new. But the issue has become more pressing with the growing use of cloud computing services that offer massive network, compute, and storage capacity allowing IT demand – ideally – to find the most cost-effective and value adding service anywhere in the world.
The same issue came up again in a dialogue with a Canadian client last month, whose security staff asked us whether it was legal for them to host employee data with a human resources outsourcing service based in the US. I’ll paraphrase my colleague Bob Blakley, who after giving the standard disclaimer that we can’t provide legal advice, said: “The guidance on the Canadian Privacy Commissioner web site indicates it would be legal in your situation, but makes it pretty clear that if something went wrong the office would be happy to pile on to the inevitable media criticism.”
This led to a further discussion of the facts of life and governments. In any country, law enforcement proceedings could lead to disclosure of commercial information; sometimes those proceedings are publicized, in other cases the authorities put a gag order on the investigation. When our client asked if there was a data haven somewhere, Bob replied: “Where would that be? A country without a functioning government? When the interests of a country are threatened, the government will go after the pertinent information.”
This reminded me that I’ve often felt the U.S. is singled out for criticism of its Patriot Act, which in some sense just acknowledges the unpleasant reality of what other governments would do anyway. I then asked Bob a rhetorical question:
“Do rising restrictions on cross-border data transfers mean the end of world trade?”
“No,” he answered, “But it means the end of trade in identity data.”
This changed at least my paradigm on the issue. We went on to talk about the architectural implications of growing restraints against onward data transfer. If organizations all over the world are to leverage IT services without border constraints, and if multi-national organizations are to function well, they must separate identity data from application silos. As another colleague Robin Wilton likes to say, they must treat identity data like toxic waste: minimize it, separate it, and manage it.
Service providers must do likewise. Cloud computing is sometimes called “the industrialization of IT” because it dramatically lengthens the IT services supply chain through division of labor and fulfillment of IT needs using the highest expertise at the lowest cost. But for this industrial dynamo to keep whirling at speed, it must throw off the chains of application identity silos.
At Gartner IT1 (formerly Burton Group) we’ve been writing for years about federated identity, loosely coupled service oriented architecture (SOA), and (more recently) runtime data aliasing and other technologies that can enable applications to leverage personal data or other sensitive information without having to store or even know the contents. Today, software as a service (SaaS) and other cloud offerings still house a YETA (yet another directory, or account database) but that could change. Already, many support Security Assertion Markup Language (SAML) and other capabilities to allow the customer, or other data owner, to keep identity and authentication functions under its control.
Cloud will be the forcing function for federation of identity.