In July 2009 I wrote an article entitled Cloud Computing Providers — are they content providers or carriers? and in January of 2011 Chuck Hollis wrote an article Verizon To Acquire Terremark — You Shouldn’t Be Surprised. Now with the Terremark acquisition almost complete and RSA Conference 2011 also over, at which I talked to Terremark about the benefits of belonging to Verizon, a picture is starting to emerge. Yes, my predictions in 2009 make sense and still hold forth today, but is there more of an impact than we realize?Verizon buys Terremark but they are not the largest Cloud Provider around, at least not yet, that belongs to Amazon. However, Amazon is a public cloud player and their acceptable use policy tries to protect them from the legal issues from which Terremark is now protected. Is Amazon really a Carrier? Could this same protection be granted to clouds like Microsoft Azure?
So what is Carrier Status and how does it protect the phone companies? From http://en.wikipedia.org/wiki/Common_carrier we retrieve the following usable definition of a Carrier.
A common carrier in common-law countries (corresponding to a public carrier in civil-law systems, usually called simply a carrier) is a person or company that transports goods or people for any person or company and that is responsible for any possible loss of the goods during transport. A common carrier offers its services to the general public under license or authority provided by a regulatory body. The regulatory body has usually been granted “ministerial authority” by the legislation which created it.
Does this apply to Terremark, Amazon, Azure, and all the other VMware vCloud players? So first, we need to decide if there is a regulatory body concerned with clouds? I personally do not know of one. Within the US the Communications Act of 1934, the Telecommunications Act of 1996, and the statutes in between do not grant the Federal Communications Commission (FCC) the authority to regulate cloud computing. However, these acts and statutes do regulate telephone companies and this includes wireless telephone companies. Granted, the FCC is making moves to regulate the cloud, but until legislation exists, it will be difficult for any cloud to be considered a Carrier unless other avenues exist.
It it important for the cloud providers to be regulated? I believe so. But who will be the regulatory body for a concept that spans the globe. Not just the the US FCC. Perhaps some international body? But then we still run into jurisdictional issues. Ultimately, the conversation is around who ‘owns’ the data, jurisdiction, and to where the breach can be tracked.
Was the breached tracked to a user (client, owner, etc.) of the data, the administrator who maintains the data for the tenant, or the cloud provider’s administrators or facilities. These are the three important identities of those that interact with the data. In the cloud, it is not the hardware, software, SaaS, PaaS, or IaaS, but the data that makes a difference, can we protect the data? With carrier status, unless the data breach is within the cloud facility or via the cloud administrators (whether by misconfiguration or malfeasance) , the data is just carried by the cloud and this level of protection is part of having carrier status.
But this means, and still has yet to be tested in the court of law, that the ultimate ownership of the data, whether entrusted to live within the cloud, depends entirely on what? The person who put the data in the cloud (in the case of an individual), the organization that ‘owns’ the data, or the regulatory body that tries to protect the data? Who is responsible for data protection? The answer is far from simple. We may say it is the owner of the data, but how is the owner of the data going to ensure that the cloud meets all regulatory requirements? CloudAudit.org goes a long way towards this but clouds may or may not make that data available to users of the cloud easily unless you end up paying for the right to see that data. But this is a chicken and the egg concept: The right to see the data generally means you need to be a cloud participant and pay for this right? Are exceptions made to do the research before joining a cloud and putting data within it?
So carrier status says a carrier cloud cannot be sanctioned for the data being transported over its wires. But the question still remains, how do I protect my data from changing jurisdictions, from the cloud administrators, or others with facility access? The cloud provides me with availability (in most cases), GRC, but how does it guarantee integrity and confidentiality?
There are technologies to help with jurisdictional issues but have not been implemented on a wide scale yet (TPM/TXT), but the other integrity and confidentiality issues have not been successfully solved, other than to TRUST the facility, the cloud administrators, and the cloud partners. How can I be sure of that TRUST?