Snowden fallout: Brazil calls for local cloud storage

Byron Acohido | USA TODAY

SEATTLE – In the wake of Edward Snowden's revelations of NSA spying, Brazil is now considering enacting laws to require in-country storage of any data generated by Brazilian citizens and companies.

The calls come as the European Union deliberates new data protection regulations to further restrict the transfer of personal data of EU citizens to any country that lacks adequate data protection safeguards, unless approved by the citizen's member state.

CyberTruth video: Tech execs ask Obama to save cloud computing

Jay Chaudhry, founder and CEO of cloud-security company Zscaler, has a strong perspective on these developments. Zscaler has a big stake in the outcome; it's global customers depend upon the cybersecurity vendor for Web and mobile device security and bandwidth control. CyberTruth asked Chaudhry to connect a few dots:

CT: Assuming Brazil follows through with new data storage laws, how do you see the giant U.S. cloud players reacting?

Chaudhry: If consumer-centric cloud services, such as Google and Facebook, decide not to create a local presence, a user from Brazil will still consume its free services, no matter where the data center is located. Unless the Brazilian government chooses to block access to these services to public outcry, all they can do is tell its citizens "don't go to Google or Facebook."

Business-to-business cloud providers, such as Microsoft and Salesforce, will have to determine if the benefits of establishing a data center in Brazil outweigh its costs. You can see this in other markets.

Microsoft has already launched Office 365 in major markets around the globe with localized data centers; its European customers access its data center through Dublin, Ireland. Zscaler has also designed its architecture so that its logs can be stored in multiple locations; its European customers have their logs stored in Europe.

CT: How might stricter European and Brazilian laws requiring local storage of cloud data impact their respective business models?

Chaudhry: For consumer-facing cloud services, such as Facebook and Google, the delivery of the service is free and the goal of the business is to monetize information by driving a default level of privacy to the lowest common denominator. Monetizing this shared information through advertising is actually the greater priority than trust for services such as Facebook and Google.

Therefore, this sort of legislation would provide an incentive to develop a global presence for its cloud infrastructure. Already, Microsoft has invested in establishing local data centers in Europe to guarantees the data of its European customers will remain local; while Google has not. As a result, Microsoft leverages this as a competitive differentiator in marketing against Google's attack on Microsoft Office 365.

Cloud services are here, growing and are not going away. Privacy, as a cloud issue, is critical, but it is also prioritized differently depending on the service being delivered. Business-to-business cloud services, such as Microsoft 365, Salesforce and Zscaler have both a paid agreement and an incentive between the client and the provider that privacy and security will be provided as a top priority. Maintaining the trust of the customer is job number one.

CT: If Brazil follows through what would that mean for big U.S. companies that want to do business in Brazil?

Chaudhry: In this highly intra-connected world, a Fortune 1000 company has thousands of employees in dozens of countries around the world. It's inevitable for its business data to flow from country to country in the process of securing and streamlining business processes.

The notion of trying to keep the data of a Fortune 1000 company in Brazil without disseminating it into other divisions and departments is preposterous; it would be extremely time-consuming and expensive if not wholly impossible to achieve.

CT: Could Brazil spur Europe to tighten down on cloud computing, and other regions to follow suit?

Chaudhry: Actually, Brazil is only the latest country to follow trends started in Europe. The EU is currently in the process of trying to re-evaluate and update its stance on these issues in light of the NSA revelations. Back in 2009, this very issue was assumed to have caused a major Gmail outage in Europe when Google updated its software to comply with geographic requirements, causing cascading failures.

However, while Europe most certainly holds clout in how providers deliver services, countries of less size and GDP must also consider the potential business impact and local outcry if a large cloud provider would simply refuse to comply in these countries.

CT: How likely is it that this could play out? Isn't this just saber rattling?

Chaudhry: At some level it is saber rattling and on another level it is just the pendulum swinging. Regulations will tighten and loosen based on the political and business climate – and at times swing wildly with major events.

This will complicate the delivery and consumption of services but also provide opportunity. It will provide the chance for competitive shifts and new innovations, both of which will be a forcing function for providers and a surge in benefit for customers. Just as the cloud provides agility in how we run our live and businesses, providers need to be agile in serving the needs of customers, and watchful of the whims of politicians.

CT: Anything else?

Chaudhry: We are in a time of great transformation when it comes to how businesses think of, build and manage their networks – and how employees need and want to access them. At every layer, more and more software and services are being abstracted from the infrastructures that carry them.