Souveraineté des données

Souveraineté des données. Horacio Gonzalez @LostInBrittany

Who are we? Introducing myself and introducing OVH OVHcloud

Horacio Gonzalez @LostInBrittany Spaniard lost in Brittany, developer, dreamer and all-around geek Flutter

OVHcloud: A Global Leader 200k Private cloud VMs running 1 Dedicated IaaS Europe 30 Datacenters Own 20Tbps Hosting capacity : 1.3M Physical Servers 360k Servers already deployed Netwok with 35 PoPs

1.3M Customers in 138 Countries

OVHcloud: Our solutions Cloud Web Hosting Mobile Hosting Telecom VPS Containers ▪ Dedicated Server Domain names VoIP Public Cloud Compute ▪ Data Storage Email SMS/Fax Private Cloud ▪ Network and Database CDN Virtual desktop Serveur dédié Security Object Storage Web hosting Cloud Storage Over the Box ▪ Licences Cloud Desktop Securities MS Oﬃce Hybrid Cloud Messaging MS solutions

Do you remember old times? The stories of the grumpy old dev…

In a time almost forgotten When even internet was young…

Data was a scarce resource Mon IBM PC 5155 in the 80s and its big 360 KB floppy disks

Even in big systems… A big mainframe disk from 1985… at 1000$ / MB

Things have changed a lot And we all have some tens of GB in the pocket

Data centers instead of mainframes With petabytes of data capacity…

You are losing me… WTF is a Petabyte? 1 PB = 1 000 TB = 1 000 000 GB

How much data is produced in a year? In 2018 we produced 18 zettabytes 1 ZB = 1 000 EB = 1 000 000 PB

How do we produce so much data? In 2018 every minute: ● Twitter users sent 473,400 tweets ● Snapchat users shared 2 million photos ● Google processes more than 2.5 million searches

Not all the data is the same Some are more important that other

But for all there are critical questions Who is the owner of the data? Who can access the data? Who can monetize the data? Who does control the data?

What are the risks? For an enterprise and for an individual

Data is the new oil, they say In any case, data is vital to business

Risk: data theft The first we think of…

Risk: industrial spying The chic version of data theft…

Risk: data loss Either permanent or temporary

Risk: data alteration Accidental… or not

Risk: no access to data No internet, no cloud…

External risk factors: Geopolitics

External risk factors: Geoeconomics

External risk factors: Distortion of competition

But today we look at another one What rules apply to data? Which jurisdictions?

Data sovereignty Who controls the data… and why should I care?

Data has ethical value For good… and for evil

Data has economic value Fortunes are built around data

Data has a strategic value Key to the independence

Data sovereignty The idea that data are subject to the laws of the nation it is collected

It began with Snowden And the revelations on the PRISM program

And the CLOUD Act The CLOUD Act states that American companies must provide information properly requested by law enforcement “regardless of whether such communication, record, or other information is located within or outside of the United States.”

EU & US: very different views on data Privacy vs Profit

General Data Protection Regulation Protects all personal data for European citizens

New rights for individuals ● The right to access ● The right to be forgotten ● The right to data portability ● The right to have information corrected ● The right to receive a Breach notification

Irresistible force paradox What happens when an unstoppable force meets an immovable object?

Answer: nobody knows for sure And unknowns are never good news…

Data Sovereignty and SaaS Spoiler: it’s complicated

Reminding cloud service models The problem is different for each model

Data Sovereignty and SaaS Well… it’s complicated…

SaaS: Where the data will be stored? Not easy to know in many cases… How about when accessing from the EU to a service hosted in US via un VPN UK?

SaaS: data livecycle Do GDPR protections apply to that SaaS?

SaaS: who owns the data? And what jurisdiction applies?

SaaS: how is data secured And will you get informed from a breach?

Data Sovereignty and IaaS/PaaS A bit clearer

You are using your own services In a third part platform

GDPR is a powerful tool And most providers try to show conformity

But often you have some work to do There is a subtle difference between GDPR ready et GRPD compliant

Vendor lock-in Easy to get in, impossible to get out

Having only a cloud provider Comforting sensation of simplicity

One Cloud to run your apps all Is it really a good idea?

What could possibly go wrong?

Specialy if my data is strategic What can I do?

I can always go away Can’t I?

Well, not so simple… Vendor lock-in

Technical vendor locking Proprietary APIs and products

Cost-based vendor locking Data transfer prices

What can I do then? Quit the Cloud? Going raise goats in Larzac?

The European reaction What cloud do we want?

There are European alternatives Transparent and compiant

European players are ready Alternative solutions respecting our values and rules

Trusting on European actors Building ecosystems, growing champions

Cloud of confiance European initiatives to leverage on European ecosystems

France and Germany initiatives Building souvereign clouds

Protect critical data From extra-territorial threads

Initiatives like GaiaX Transnational working groups Industrial partners

What that means for you? ● Empowering companies and institutions ○ To take more out of your data ● Based on standards and openness ○ A complete offering ● Your data get protected

Conclusion That’s all, folks!

Souveraineté des données. Horacio Gonzalez @LostInBrittany