Lots of different countries have different takes, different requirements, different laws about what is, or is not acceptable with regards to all sorts of stuff. But especially with regards to the cloud, and the ownership, and management of data in the cloud. So, certainly, countries like the United States, the EU member states, geography in Europe, France, Great Britain, Switzerland, Germany. You know, some of these may or may not be members of the EU, but generically countries in Europe, Romania, right? A country that's obviously going to have a great impact on things that we're thinking about and talking about. China and the Asian-Pacific area. India, right? Big countries, small countries, every kind of country today is connected to the internet in some way, connected to the worldwide web. Their people, their citizens are using and consuming services. Companies like Microsoft, like Google, like Cisco, like Amazon are doing business in many of these regions, many of these geographies. And they are going to be having to deal with moving data back and forth, and be bound by the rules, and the concerns that these countries and these areas have. So, we got to think about this, because not every country sees this issue the same way. The ability to be able to use, and monitor, and consume data is considered differently around the world. So, we have to think about jurisdiction. We have to think about applicable law. These are important terms and concepts. Applicable law determines the legal regime applicable to certain matter. What is the applicable law, is the question I would want to know as a customer. What is the law that will pertain to me in that area? And then jurisdiction determines the ability of a national entity, a court or something, to decide a case, or enforce a judgment over this issue if it goes to trial. Applicable law is the idea that the laws of the land are going to be effectively in the way in which I'm going to be bound, in terms of being a customer and they're going to be in effect there, and have to be aware of that. So for instance, I'm going to give you a hypothetical with regards to cloud services. Let's say that as a customer, I'm sitting in the United States. I host with a data company, a data management company, a cloud company. I'm not going to name a company. I just host with a company, Company X. That company is a broad global company, has data centers in several locations around the world. I'm in the U.S. I do my business here. I'm an individual that lives here. I'm a citizen of the U.S. My data should be in the U.S. when I host with this company. It is, but I have not stipulated that my data should stay in the United States. This company has a policy that says if the customer doesn't stipulate, we can move their data to other locations geographically as performance, and fault tolerance, and high availability, and failover mechanisms may require, so that we can meet our service level obligations, to keep the network up and running, and give you access to your data 24/7, 365. Okay. I didn't know that, but you're going to do that. Shame on me. Caveat emptor. Buyer beware. And as a result of that, my data was in the U.S. but now all of a sudden, because of a network outage, my data is transferred and it's now sitting in Asia in the Asian data center that this company owns. Data center happens to be sitting in China. Okay. It's sitting in China. It could easily be in Vietnam. Could be in Indonesia. Could be and Japan. Happens to be in China. My data is now no longer subject to the laws of the United States. My data is now subject to the laws of China. If a Chinese government agency, or entity decides they want my data, and they have a law on their books that says we can come and take your data. All we have to have is this piece of paper that says we have the right to, and they show up at Company X's data center, and knock on the door and say, "We'd like Adam's data." Company X is going to have to comply if that's the law of the land, it's the applicable law. A court may decide, ultimately, who has jurisdiction. We may take that issue after they take my data and I may find out about it and I may say, "Hey. Wait a second. Hold on. That's not right." And they'll say, "No, we have the law on our side. It is right." And I'll say, "I don't think so." And they'll say, "Okay. Let's go to court and figure it out. Let's see who has jurisdiction." So, we'll go to a court and decide whether or not the law in China is actually the law that should govern that data. Now that court may be a court in China, because that's where the issue occurred and where the data has been effectively interdicted and is being held. I may not like that idea. I may want it to be a court outside. The court outside may not have jurisdiction. They may not have rights to try that case because China, as a country, may not recognize the fact that external courts have rights to tell them what to do. So, I may have to go to court in China if I want to have this case heard. So, questions of jurisdiction and applicable law can be tricky. And as customers we have to try to be aware of them. We may not always be. But as security professionals, we are definitely going to need to be aware of them. This is a due care, due diligence issue. This is one of the things you got to do your homework on and pay attention to. So, as an SSCP, it would be your responsibility to be able to advise your customers and the company about the issues and concerns of hosting with a cloud company, that may have data centers around the world and that may move our data without our prior knowledge or approval. Oh, wait a second. You mean that's not such a good idea? No that's not a good idea. Well let's step back and think about this. Can we work with the company, Company X, to put into our hosting agreement, our service level agreements and our hosting agreements with them, that we want geographic preference, meaning we want our data to stay in our geography. Well, you know, I never thought about that because when we signed the agreement nobody mentioned it. Let me go back and ask and if we do, sure enough, we may find out that for money, we can get anything we want if we're willing to pay. So, we may be able to say, yes. For another $20 a month, or whatever, we'll guarantee your data will stay inside the boundary, or the borders of the United States. And if we have to move it, we will not do so without your consent. So, that will probably solve the issue. My data won't wind up in China, and I may not have to worry about whether the Chinese government can get my data. And I may not have to go to court in order to see whether, or not in China, that is allowable under their law. So, applicable law and jurisdiction is very important. And, as a security practitioner, you need to be aware of these terms and understand how they operate, especially with regards to the cloud where data is moving. It is on the move all the time and it's easily moving quickly, in the blink of an eye, from here to another country and back again. We need to understand the implications of that.
