Google’s Chief Security Officer (yes, companies now have a CIO and a CSO), Eran Feigenbaum, stirred a debate recently when he questioned the obsession of the US (and other governments) about data sovereignty in outsourced environments. He is quoted as saying: “It is an old way of thinking. Professionals should worry about security and privacy of data, rather than where it is stored.”
What do you think? Should it matter *where* data is stored (or for that matter where the pipes carrying it happen to be)? Assuming a cloud provider meets what it promises in its SLA (availability, persistence, proper authentication/encryption, etc.), can you think of vulnerabilities that necessiates that data resides on “American Soil”?
The other interesting statement by Google’s CSO regards the need for encryption of data at rest (i.e., on disk as opposed to end-to-end through an application): “It is a false sense of security. Crypto people do a good job at cryptography, but a really bad job at key management.”