5 Recommendations to Consider Before Choosing Where to Store your Data
We now live in a world where it matters where your data is housed. Data privacy and data governance have become major topics of debate.
4 March 2014
We now live in a world where it matters where your data is housed.
Data privacy and data governance have become major topics of debate, and today’s legal system has become thoroughly ingrained in governing information that resides within a country - and, it doesn’t just stop there.
Information flow online doesn’t always respect geographic limits. Data that’s present in a different country from where your data is housed might give that jurisdiction enough incentive to ask for access to your information too.
As an information security professional, choosing where to store data might be one of the most important decisions you will make for your organization. However, due to the diverse regulations protecting data in different countries and jurisdictions, many organizations don’t know what steps to take to ensure their enterprise-grade file sync and share provider has the right data security in place.
Geography comes into account sure, but there are many other considerations to factor in when deciding where to store your information – like business interests, mutual legal assistance treaties, transmissions and data subjects.
To make your decision more bearable (and slightly easier I hope), here are five recommendations to consider before choosing where to store your company’s information.
- Perform a comprehensive risk analysis that examines threats and their impacts – Before you pick a location for your data, make sure your organization undergoes a thorough risk analysis of plausible threats and their impacts, one that includes government activity and the legal environment of the vendor. As an example, the threat from hackers and cyber-criminals is real, and many organizations are working to secure their networks against them. Interestingly, insider threats (like Edward Snowden) are just as real, and could be equally as damaging as or even more destructive than outsider threats. It’s important for companies to understand the laws and how governments act on those laws – otherwise, it will be impossible to carry out a full risk analysis.
- Encrypt your information in transit – Since information does not always stay within geographic boundaries, you might want to encrypt your data in transit by using encryption techniques such as forward secrecy and ephemeral session keys.
- Encrypt your information in storage – Wherever your information is stored, it should be properly secured, preferably with encryption keys that haven’t been shared with your vendor or cloud storage service provider. While your service provider can secure your information and protect it, they cannot always safeguard you against the laws they are obligated to uphold.
- Be transparent about law enforcement access to your customers – Almost all privacy principles have a transparency principle (Fair Information Practice Principles, Data Protection Directive, Privacy by Design, Generally Accepted Privacy Principles) - you should seek to be as transparent as possible with your customers to help rein in law enforcement from placing needless, onerous requests on your company.
- Request transparency from your provider – Being transparent with customers is good practice, but you can’t do so if your provider isn’t transparent with you about their own legal obligations. You should request information in contractual language as to how providers will respond and react to government access requests.
Choosing where to store your information and where you can move it shouldn’t be decided without careful consideration. In my next post, I’ll provide an overview of national data protection laws to help you pick the best location to house your data.
Meagan Parrish is the Senior Manager of Social Media at Intralinks. She is responsible for social media strategy development and the communications for Intralinks' online communities. Meagan has been creating social media strategies for a variety of companies across verticals for the past several years. She holds Bachelor degrees in Marketing and Finance, with a minor in English Literature.