[copied from SANS security newsletter, http://www.sans.org/newsletters/#newsbites]
–Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland (November 3 & 4, 2013) Swiss telecommunications company Swisscom plans to establish a “Swiss cloud” that will be hosted entirely within that country. The goal is to prevent the NSA and GCHQ from snooping on communications. (Swisscom is majority-owned by the country’s government.) Switzerland already has stringent data privacy laws in place, which is why companies that provide secure communications services use data centers there.
Prosecutors must obtain court orders before conducting surveillance.
[Editor’s Note (Pescatore): Just a few months ago Swisscom had to acknowledge a security breach when backup tapes containing customer and corporate sensitive information were stolen and given to a newspaper.
And one year ago the Swiss Intelligence NDB admitted an insider had exported classified counter-terrorism intelligence information and they noticed this when the Swiss bank UBS notified them after UBS traced an attempt to open a new, numbered bank account to the IT technician. Seems like data and bank activity might not be risk-free in Switzerland.
(Murray): When their banks began to cooperate with the US IRS, the Swiss surrendered the historic trust on which such an offering as this might have been based. Those who want confidential communications or storage must rely on private encryption. One can no longer trust any institution for a result that one cannot verify intraday.
(Northcutt): I think the NSA thing is a bit overdone; they have been cast in the role of the Highlander, able to hear and process all of the world communications. However, cloud storage and processing does need to be taken seriously from a privacy perspective. I really like the University of Delaware policy. It is subtle, but they clearly get it:
Funny how the (mostly American?) commenters @SANS downplay the relevance/power of the NSA. Give me a break please; this *should* and *will* have consequences as European business will think twice about whether they should host their data in a US company which is subject to US law. IMHO this is rather good as it might allow Europe to stop its sleep in IT and go after some of that business.