6 October 2013

We're half way there

In 2008, I was invited by my academic colleagues at the Information Security Group, Royal Holloway University of London to speak to a gathering of alumni from our information security graduate degree programme. Having provided 10 years' worth of lectures about the application of the law to the Internet, the challenge was to summarise where I thought we were "now" (in 2008). My lecture presented this conclusion: "The Cyberspace Frontier is Closed".

One of the core themes I presented that day was the idea of a "de-globalising" Internet in which geographic borders are being enforced with increasing regularity. When I say that borders are "enforced" I'm not just talking about direct enforcement by sovereign states. I'm just as much referring to the process of border delineation and enforcement by private parties who find it in their own best interests to shape content or condition access based upon end user geolocation.

It may not have been in that lecture, but about that time I made the following claims about the development path of so-called cloud services:

  1. Due to regulatory and commercial pressures, the geolocation of cloud service offerings will continue to increase in importance.
  2. As customers begin to understand regulatory and commercial pressures, they will increasingly demand that their cloud service providers geographically segregate data and infrastructure, and the ability to exercise control over same.
  3. Customers will increasingly demand this geolocation assurance in service level agreements.
  4. PREDICTION: Any major cloud service provider must be able to provide such assurances within 10 years or they will be out of business (2008+10 = 2018).
When I made this prediction, I was prompted generally by many factors. These include the resurgence of the sovereign state within the international system as a reflection of differing social and community standards (including language differences), as well as the continuing desire of multinational businesses to segment marketplaces. I was not really thinking (too much) about the impact of sovereign state intelligence gathering activity, and I had no idea that a guy hiding out at an international airport would shine a light on practices that also caused people to stop and think about "where" their cloud is located. But they are (in my opinion) all a part of the same meta-trend.

So, it's 2013. We're half way to 2018. How do people feel now about my prediction from 2008? Will it remain possible for cloud service providers to remain truly global and "borderless" in nature? Or will they (as I predicted five years ago) increasingly be forced into a business model that demonstrates that location of, and control over, data is limited by geography?