Data centre location has no bearing on cyber security for cloud users, according to Google Apps director of security Eran Feigenbaum.
Feigenbaum made the argument during a keynote at InfoSec 2015, claiming that the common European belief that local data centres offer better data security is misguided and potentially dangerous.
"Data location does not improve security. It's actually the reverse. Adversaries do not abide national borders. I've never seen a hacker say: 'Oh, it's in London. I don't want it. I'm going to hack Belgium,'" he said.
"Sure, you have to be careful due to legislation. There are different regulations. Some data may not be able to leave the country, like [under] Swiss banking law [for example].
"But just because it's in a specific country doesn't make it safer. Google has data centres everywhere and they all get audited and have the same practices."
Feigenbaum explained that the biggest security problems facing cloud users are poor authentication and a lack of attack preparation practice.
"The biggest problem around cloud is authentication. In a regular conversation I get to look at you and know it's you, but most online services still just rely on username and password. If I get these I can impersonate you," he said.
"Eighty percent of the breaches of 2014 came down to getting a user's password. [Thanks to our Password Alert Chrome extension] we found users recycle corporate passwords. They use it for their Netflix account or Yahoo.
"The problem is all these services don't have great security and a consequence is if [the victim's] Netflix account gets hacked it's a big deal. We need to make it easier to do the right thing and alert people when they don't. The goal is making passwords even more invisible to users."
Feigenbaum added that the growing sophistication of cyber attacks means that businesses should begin operating under the assumption that they will be breached and mount yearly stress tests.
"A breach will happen. That's one thing we know. But how will you know? Or your provider? How will you understand what data was impacted," he said.
"You need to mount security drills where you act as if you've been hacked. We got really good since 2000 at practising disaster recovery and this is the logical next step.
"Practising a drill will let you know what engineers, what legal folks, PR and marketing staff need during a breach and what to do before contacting a customer. This is something you should do on a yearly basis."
Feigenbaum's comments follow widespread concerns about cloud security and privacy that erupted in 2013 following the Edward Snowden leaks.
The leaks showed that GCHQ and the US National Security Agency were legally siphoning vast amounts of data from technology companies including Google.
The news caused a backlash against US cloud providers and prompted a consortium of 140 companies including Google, Apple and Microsoft to send a letter to the White House in May urging president Obama to block legislation that would let agencies continue to collect and decrypt data.
Feigenbaum shied away from directly answering whether the privacy concerns around GCHQ are a direct problem for businesses when asked by V3, but said that companies should consider data protection and human rights laws when building data centres.
"I'm going to try not to be political here. I think obviously states need to do what they need to do for security [but] organisations need to put on good security practices to stop unwanted eavesdroppers and let states have legal processes to request that data," he said.
Despite the privacy concerns, Feigenbaum is one of many professionals to downplay the importance of data centre location.
NetSuite similarly argued in May that a European data centre is not needed for privacy or compliance.
The news follows fresh calls from Ciaran Martin, GCHQ director general for cyber security, for businesses to begin working with the agency to combat hackers.
Russian Taiga smartphone promises snoop-proof communications - coming soon to employees of Russian state-owned firms
Eugene Kaspersky's ex outs smartphone that claims to prevent apps from spying on users
Deloitte accused of leaving its internal Active Directory server exposed to the internet with RDP open
Deloitte accused of lax systems administration and security practices over email hack
Lax systems administration practices blamed for exposing millions of sensitive client emails
The new processors support Intel's Optane memory acceleration technology