The generally accepted practice in the information technology and communication industry is to store information (data) with one service provider, in one physical and geographical location. Often, the service provider will also provide redundancy and backup storage in remote locations, but this is only to ensure performance and the availability of data in case of disaster or other failures. Information (data) is still entrusted to this single service provider, which must implement a plethora of security measures to ensure the protection of the information, namely its confidentiality, integrity and availability. These measures can be preventive, detective or corrective in nature and include, but are not limited to, physical and logical access controls, data encryption at rest and in transit, backups, monitoring, alerting, journalising, antivirus, firewalls, intrusion detection and prevention systems, physical and environmental protection measures, security policies, procedures and standards, background checks, security awareness programs, audit plans and certification, incident response, breach notification, risk assessments, etc.
In the end, with all these security measures implemented, information (data) can still be vulnerable and the user or the organisation is never completely sure that the information is adequately secured. Encryption, which is often specifically used to secure the confidentiality of data at rest and in transit, is itself vulnerable. Encryption can be poorly implemented, it can contain backdoors unknown to the user or data owner, and the keys themselves can be handed to third parties, without the knowledge or consent of the user or the data owner.
The vast majority of service providers will themselves entrust their client's information to other suppliers or give them access to the information, often without the user's or organisation's knowledge or consent. Suppliers of the service provider will often themselves entrust information to other supplier or give them access to the information. It is most often unlikely that the same level of information protection will be guaranteed in these downstream subcontracting scenarios.
Current information storage and communication practices are also affected by the global legal and regulatory landscape. Each country or jurisdiction or even industry may have specific laws and regulations applicable to information that is stored, communicated or processed in its territory. Certain laws or regulations will give wide powers to monitor, intercept or access information often without the user's or organisation's consent or knowledge. This situation can often result in security, confidentiality and privacy issues. Furthermore, the legal and regulatory differences in various jurisdictions can often discourage the free flow of information towards the most efficient and appropriate storage, processing and communication service providers.
In view of the foregoing, there is a need for a different way to store information (data) securely while at least mitigating the limitations and shortcomings of the current practice.