Apples and Oranges: Legal

Superficially, stormmq seems to be like Amazon’s SQS, but they have very different legal characteristics.

This is the second of six articles in the series comparing stormmq and Amazon SQS.

Superficially, stormmq seems to be like Amazon’s SQS, but they have very different legal characteristics.

Amazon SQS is great if you don’t need legal protections.

The words “IT Audit” strike fear in every developer’s heart. If you have ever had an audit you’ll know that they can cause a world of pain. An IT auditor is somebody to be feared. Some auditors are straightforward, and you can ‘get away with a few things’. But many are very smart, very knowledge and do an excellent job. They will let you away with nothing. While being painful, the process is very important for IT departments. It forces them to design better systems which benefit the organisation and the customers.

If you use Amazon SQS, you get a great service. It’s brilliantly engineered, with a simple interface to a complex architecture. But it has one weakness – it is a legal minefield. In the EU, every country has a data protection commissioner. In the UK, it’s the  ICO, for example. Each country has national rules, but they all derive from the same EU directives. The essence of this legislation is it makes you responsible for looking after customer and other personally identifiable data even if you use a third party provider or contractor. To pass any IT Audit you need to prove that not only you know the locality of your data, but:‐

  • that it’s secured in transit;
  • encrypted when stored;
  • can not be subverted, altered or changed without knowledge, and,
  • is only revealed to those that need to know.

That’s hard to do. In addition to this there are four key things to consider:‐

Where is the data stored? If you use any cloud provider you will need to consider this. You need to be very careful if you move personally identifiable data from one jurisdiction to another. You might think that choosing the Amazon SQS service in Dublin will side step this issue (and in many cases it might) but remember that they are a US company that is still covered under the US Patriot Act.

There’s no point having data if it’s not consistent. Well, if you want to use Amazon SQS you might want to read clause 11.5 of the Amazon Web Services Customer Agreement, which states “WE AND OUR LICENSORS DO NOT WARRANT THAT THE SERVICE OFFERINGS WILL FUNCTION AS DESCRIBED, WILL BE UNINTERRUPTED OR ERROR FREE, OR FREE OF HARMFUL COMPONENTS…”. You will not pass an IT audit with this sort of a statement in the customer agreement.

Clause 11.5 goes on to say “…OR THAT THE DATA YOU STORE WITHIN THE SERVICE OFFERINGS WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED”. So, if Amazon is hacked then not only will you have to apologise to your customers you will also have to explain to the Data Commissioner why you used a service that was insecure. The Data Commissioner can hit you with a £500,000 fine for this sort of thing.

How long is your data on their system after you delete it? Are all the copies destroyed? Is it still there? Dude, where’s my data?

At stormmq, we care deeply about data security and we can help you demonstrate audit compliance. We use 2048‐bit TLS and IPSec VPNs to secure access – even on our own network. We use encrypted disk drives and UK based ISO accredited data centres with 24 hour manned security. stormmq was built from the ground up as a service that compiles with as many regulatory requirements as possible.

Locating and securing your data matters to us. Our optional Locate‐It™ service will sign‐over ownership of the encrypted hard disks used to hold your data. We will then provide you with a Certificate of Locality and Ownership of Data. Using these certificates you can have your auditor or IT director check our facilities and audit the actual hardware that is used by your message queue. Ownership of the hard disks also gives you the added security of being able to take the disks at the end of your subscription for secure destruction.

Our service does not compare our service to Amazon SQS when you consider the legal implications. But, don’t take our word for it, we strongly recommend that you consult your lawyers.

  Raphael ‘Raph’ Cohn

Raphael ‘Raph’ Cohn
Chief Architect
+44 (0) 7590 675 756

I’ve designed, developed and burnt the midnight oil on the graveyard support shift from large systems for banks to troubleshooting telcos to pricing electricity in Singapore. The one thing that was always missing was ‘ready to use’ Message Queuing. Message Queues you could set up and tear down yourself without bureaucracy or crazy costs. Message queues that worked with anything. Then it dawned. Message Queuing should be a cloud based service.