Indeed, some companies have reacted to the above concerns and are already asking for written assurance that their data be stored outside the US. These include a Canadian pharmaceutical company, a government agency and a UK grocery chain according to Rook Consulting, an Indiana-based security-consulting firm responsible for managing the segmentation to keep the data out of the US.
More generally there is concern about the non-deterministic nature of Internet and Ethernet traffic and the resulting risk of using public, or even certain private, cloud services. If the data you are processing in the cloud happens to be diverted via another country with different standards of privacy legislation then nobody need be the wiser - unless it turns out that some of that data has been "leaked" to a foreign intelligence service or criminal gang and your customers, or their government, make a claim against you for not protecting the privacy of their data.
This problem is not new, what is new is the scale and scope of the problem. If a single large carrier, such as my own company, Tata Communications, is carrying all your data, then it will most likely have mechanisms across its network to define Classes of Service (CoS) for different classes of data and so be able to enforce suitable levels of protection and privacy, and that includes restricting traffic to specific routes across the network. Note that these requirements can be quite complex: for example the customer who expresses a strong preference for the way data is routed under normal operating conditions, but recognises that, when the going gets tough, it is more important to ensure certain data's arrival than the how it gets there, while other 'sensitive' data would be better lost than take a dangerous route.
But what would be much more problematic would be to extend this level of control across two or more service provider networks. We do not yet have common global standards for end-to-end privacy and security and certainly not in such detail. Whether the networks are linked to extend coverage, or run in parallel to provide redundancy, the providers who are probably using different technologies do not yet have common standards to ensure consistent protection.
Is SDN the answer?
SDN could play an important role in resolving these issues. SDN provides a distinct control layer and a central controller that would enable packets containing different types of data to be forwarded according to specific rules - such as not crossing international boundaries, or being restricted to preferred routes unless specific situations arise.
This looks like the complete answer, until you dig a bit deeper. Firstly it would add a massive computational burden to the control system. Once we start routing traffic according to the content of each packet in the already dynamic SDN network environment, then we are taking the technology way beyond anything currently possible. Then consider what happens when you route data between providers: Tata would not want its SDN to be subject to a Verizon controller, nor vice versa, so we would need a very complex handshake agreement between the two networks to maintain consistent service.
Sign up for CIO Asia eNewsletters.