Following the dissolution of the Safe Harbor pact in October, US companies are increasingly investing in foreign data centers. Both firms and consumers should be wary of this trend. For consumers, the perceived benefits may be an illusion. For firms, the use of these centers may expose their organizations to new and unforeseen threats.
US companies have actually been shifting data centers abroad for several years. In an attempt to appease European customers’ fears of government spying following the Edward Snowden leaks, US companies have been aggressively adding foreign data centers since 2013. Amazon opened three data centers out of Frankfurt last year, and in February Apple announced plans to invest nearly $2 billion in two data centers located in Ireland and Denmark.
However, the establishment of foreign data centers adds distance only, not protection, to customers’ private information. Under the provisions of the Stored Communications Act of 1986, private information stored by US companies at facilities in foreign nations is subject to the reach of warrants issued by US courts. This is the case in over sixty countries – including every country in the European Union – with whom the US has signed mutual legal assistance treaties (MLAT).
In response to a case currently under review regarding its refusal to release a US citizen’s private information stored on a server in Ireland, Microsoft has adopted a new strategy, which adds another layer of legal protection to customers’ private information. In November, Microsoft announced that it would allow foreign customers to hold data in European facilities under the “trusteeship” of Deutsche Telekom, a German telecommunications group. The arrangement has not yet withstood a challenge in court, and so despite assurances from Microsoft’s legal team, the solution is not considered airtight. However, if proven effective, this form of evasion could emerge as an example for other major US technology firms seeking relief from the negative optics of domestic data centers.
Already, other major cloud providers are looking overseas. Amazon announced plans to open a new region in South Korea this November. This October, Microsoft opened three new cloud facilities in India. Google has data centers in Germany, Russia, Brazil and China among other (predominantly European) countries, and is focusing its data center expansion strategy overseas.
While opening foreign data centers offers the positive optic of separation from US oversight, it elevates the prospect of other risks. US security agencies face fewer legal constraints when conducting operations involving foreign data centers. In addition, foreign data centers are more vulnerable to ubiquitous risks, such as natural disasters, malicious actors, insider threats, and critical infrastructure failure. The growing number of colocation centers do not have the same degree of funding or support systems as major public cloud providers like Google, Microsoft, and Amazon, and are at particular risk of a physical breach from other tenants. Visibility, rapid attack identification, and fast, accurate and automated containment are all current security shortfalls in dynamic modern data centers. All of these factors are exacerbated outside the cocoon of first world infrastructure and privacy legislation.
The risk differential between the US and European Union countries in these categories is not dramatic. Germany, especially, has strong critical infrastructure and more stringent privacy controls than the US. However, the security delta between the US and and other growth areas for data center expansion is much greater.
According to the Data Centre Risk Index, every surveyed country but six outside of North America and Western Europe was classified as high risk. The index accounts for factors such as energy, bandwidth, political stability,and natural disasters, among others. In particular, state-sponsored cyberattacks, such as the APT30 attack identified this April, have focused on companies and systems with regional interest in the Asia–Pacific. Moving data centers to regions, like southeast Asia, with a large number of US Trade Representative watch-listedcountries presents an added layer of risk, especially when adopting a “trusteeship” model like the one being piloted by Microsoft and Deutsche Telekom.
Considering these factors, firms and consumers are probably better off using data centers in the US. But, if expanding abroad, there are three precautions – applicable across a wide spectrum of data center types – available to firms and consumers to minimize problems:
- Institute more sophisticated encryption tools. Consumers are already asking for more and better encryption tools. According to a 2015 SANS survey, “the top types of attack vectors concerning most enterprises are access management flaws, application vulnerabilities, malware, advanced multistage attacks and poor security habits of employees.” Encryption mitigates the risks from all of these vectors by limiting the value of poached data.
- Adapt traditional security controls to cloud service infrastructure. Security controls are lagging behind massive changes to computing infrastructures through the addition of more dynamic data center processes and the expansion to clouds.
- Address insider threats. Cloud providers are especially vulnerable to insider threats because of the diversity of functions they are required to serve, including management of all hardware, physical security, network functions, and storage infrastructure.