Data Location in the Cloud: Understanding the Regulatory Issues
In the real estate business, it’s all about location. For IT, the same can be said of data. Data location is top of mind due to differing regulatory issues.
24 August 2015
In the real estate business, it’s all about location, location, location. Increasingly, for IT, the same can be said of data.
Data location is becoming important in a post-Snowden era because many countries are taking aggressive steps to protect citizen privacy and preserve national security interests. There’s also undoubtedly an element of protectionism. The result is that organizations conducting business internationally are struggling to meet a complex network of regulations that dictate where data can be stored, processed, or accessed.
The question of data location is critical when embarking on a cloud-based project, especially one that hinges on content collaboration and file sharing. In reality, the problem is caused by the ambiguity of the actual meaning of “data location,” not by the complexity of the technology.
According to Gartner's “The Snowden Effect: Data Location Matters” report, data location has many interesting facets — Physical, Legal, Political and Logical.
The Four Types of Data Location
- Physical: Physical location is what has traditionally been considered. It is where the storage hardware resides. Sounds pretty cut and dry, but there are some details to consider. For instance, backing up data is a standard practice for many providers, as is shipping that data overseas for archiving or analysis. Data can be shipped overseas or cached for performance purposes as well. Given the vast distribution of this information, the question should really be “where, physically, are all copies of the data?”
- Legal: The country of registration of the entity that controls the data may represent the Legal location. Another legal entity could be the service provider that processes the data of behalf of the entity that controls the data. Legal location is especially important in regard to where information is stored or shared. The contract will state the jurisdiction for any dispute. In the event of a data breach, the privacy laws of that country from where the data comes from will likely control the data. The location of the entity holding the data may also come into play, but it is not necessarily the controlling matter.
- Political: If the legal entity is a subsidiary of an international corporation, then the country of headquarters is the Political location. Though some may argue it is not a rational consideration, certain countries may be more prone to sanctions and other international issues than others which need to be accounted for.
- Logical: Gartner summarizes that though physical location should remain in consideration, the most future-proof strategy is to focus on the location of how people can access data or the control point — known as Logical location. Due to adoption of encryption technologies, who can access data is more important than the location where the actual zeros and ones are written to media for storage. Encryption is going to be the technical measure that will help business navigate the increasingly complex data sovereignty legislation.
No matter where the origin of the data, data has to travel over public networks (otherwise known as the Internet) to its final destination at users’ devices. As the information moves across many political boundaries, at each stop a copy of it is often made (mostly, a temporary copy).
Interestingly enough, some of the most stringent data location requirements come from geographically small countries in which Internet traffic definitely travels across borders. Inevitably, one asks the question: How is it possible to do business with those countries? The usual response is to secure the communications channel with Transport Layer Security (TLS) — the successor of the more famous SSL. This means that all the data that moves from the provider to the consumer is encrypted and controlled by the certificate installed at the provider’s web server. Some providers say that since the data is encrypted it can travel all over the world — which is great news for businesses.
Don’t Let Data Be Bound By Location
Following the same argument, the Logical location of the data is where the encryption keys are stored. In this case, the location of the certificate defines the data location. In the case of Customer Managed Keys (CMK), the location of the control over the keys defines data location. By using CMK, while providers store and process the data on customers’ behalf, customers maintain full control over the encryption process of their data. Each encryption or decryption request has to use a customer-controlled key and if it is not available, no entity can see the data. In this case, location of the switch to turn the keys “on” or “off” is the logical location, thus allowing or disallowing all access to data.
If regulators can be persuaded that it is acceptable for businesses to temporarily store encrypted data overseas, what would logically follow is that it would be acceptable to permanently store securely encrypted data outside regulators’ jurisdictions — as long as it can be demonstrated that the control over the keys or the Logical location is compliant to the data sovereignty laws. Let’s hope this is successful, because the alternative is having an Internet resembling the political map of the world.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.