Organizations looking to benefit from the scalability, agility, and capital cost savings of cloud computing inevitably
encounter the issues of data privacy and security. In the corporate data center, data security and privacy are mostly
about protection from hackers and insiders. In the cloud, however—public, community, hybrid, and sometimes even
private-- they are also affected by where data resides and the impact of local, regional, and national regulations on
the privacy of that data--an issue known as data sovereignty.
What Are The Drone Anti-jamming Systems Technology?
Data Sovereignty and the Cloud
1. DALLAS PHOENIXAMSTERDAM | |DALLAS PHOENIX LONDON AMSTERDAM
DATA SOVEREIGNTY AND THE CLOUD
| | |
Data Sovereignty and the Cloud
Organizations looking to benefit from the scalability, agility, and capital cost savings of cloud computing inevitably
encounter the issues of data privacy and security. In the corporate data center, data security and privacy are mostly
about protection from hackers and insiders. In the cloud, however—public, community, hybrid, and sometimes even
private-- they are also affected by where data resides and the impact of local, regional, and national regulations on
the privacy of that data--an issue known as data sovereignty.
The romantic image of the cloud is that of a nebulous place somewhere where data and applications float
freely—exactly where doesnʼt concern the user. The reality, however, is that cloud providers house infrastructure,
platforms, data, and applications in data centers just like everyone else, and where those data centers reside affects
which nation, state, or locality has legal sovereignty over and thus potential access to that data. Organizations
looking to store any data or applications in the cloud, including via software as a service (SaaS), need to take these
and other compliance concerns into account when deciding what to put in the cloud, what type of cloud to put it in,
and what provider they intend to use.
The Data Sovereignty Tangle
One of the biggest catalysts for concerns about data sovereignty has been U.S. anti-terrorist legislation such as the
Patriot Act, the Foreign Intelligence Surveillance Act (FISA), and extensions to the latter signed into law recently.
These laws give U.S. intelligence and law enforcement agencies unprecedented leeway in requesting information
held in U.S. data centers as part of terrorism investigations, including data held by foreign organizations in the U.S.
Similar regulations exist in other countries, including Australia. There are also international treaties that affect the
subpoena and surveillance of data belonging to U.S. and sometimes foreign organizations stored in data centers
outside the U.S.
The legal implications of these acts for foreign and domestic organizations are complex, evolving, and often not well
understood. And perhaps worse, they sometimes conflict with data privacy legislation in the European Union and
Australia requiring organizations to let users know who has access to their data. More recent European legislation
has even required certain organizations to keep customer data within the country of origin. And of course there are
other compliance issues that come up wherever data is located.
Aside from anti-terrorist legislation, there are also Federal, state, and local tax laws that affect transactions taking
place in U.S. data centers, including those of organizations based abroad. They are equally varied, complex and
evolving.
Finally, data stored in the U.S. may be subject to U.S. laws regarding data retention and discovery. And any disputes
arising from U.S. based cloud services may fall under U.S. law. The same is true for foreign based services used by
U.S. organizations.
Data sovereignty has become a particularly important issue for organizations based outside the U.S., because most
of the major cloud services, such as Amazon Web Services, Rackspace, and others, are U.S. based and host
infrastructure and/or store data in U.S. data centers. Many of these services have data centers outside the U.S. as
well, but standard cloud service contracts often give customers little to no control over where their data or the cloud
infrastructure they make use of resides.
twitter.com/firehostLearn more at www.firehost.com email sales@firehost.com call (US) +1 877 262 3473 (UK) +44 0800 500 3167
2. twitter.com/firehostLearn more at www.firehost.com email sales@firehost.com call (US) +1 877 262 3473 (UK) +44 0800 500 3167
All or Nothing?
Under these circumstances many organizations choose to avoid housing any sensitive production data or
applications in the cloud. However, such a move may limit their IT options and competitive position unnecessarily.
It doesnʼt necessarily solve the problem either, as organizations may not be aware that their in-house developers
run test beds or applications in the cloud that make use of sensitive data. In other cases an organization may already
be using the public cloud during peak load periods. It may be using a cloud service for backup or disaster recovery.
Or IT may not be aware that there are internal departments taking advantage of cloud services, including software
as a service applications (SaaS) such as Salesforce.com, without ITʼs full knowledge or permission. Sensitive data
stored internally but used externally by SaaS may be vulnerable and subject to data sovereignty concerns.
So how does an organization looking to take advantage of the cloud address the risks and other issues of data
sovereignty? Here are some basic steps to take when addressing the issue of data sovereignty in the cloud.
Classify Data
A good first step to addressing cloud data sovereignty issues is to do a risk analysis of any data and applications
that either reside in the cloud today or may reside there at some time in the future. Classify which and how much
data is high, medium, and low risk in terms of privacy and security. Some organizations classify data as either
private, restricted, or public.
IT cannot do this alone. Itʼs essential that representatives of the business and legal units be involved in the
classification process as they often can best judge which data has which level of sensitivity. Compliance issues
should be taken into account as well, which is why legal counsel should be involved.
High-risk data usually includes any type of customer or client information, including names, addresses, numbers,
email addresses, and of course credit card information. The same goes for employee and other human resource
information. Any financial records should be analyzed carefully both in terms of business and regulatory risk. And
email and other types of business records should be considered, not to mention any documents and other data that
may involve intellectual property.
IT should conduct discussions with members of the various business units to discover cloud services used by those
departments and their employees as well. This may sound like a lot of effort. However, itʼs an essential step, not
just for addressing data sovereignty, but for general IT security and compliance as well. Users may be unaware that
the data involved may be vulnerable to attack or subject to regulations such as HIPAA. Finally, disaster recovery and
software testing and development should be considered as well as these folks may be using recent sensitive data and the
cloud as part of their testing or backup environment.
Evaluate Cloud Providers
Once IT has classified data according to high, medium, and low risk, a determination should be made as to how
much high and medium risk data is either currently or likely to end up somewhere in the cloud at some time in the
future. Itʼs important to consider not just data stored in the cloud, but data used by SaaS and software testing, as
well as any applications you may be running in external data centers.
If you have no intention of letting any sensitive data into the cloud and feel you can actually accomplish that goal,
then it may not matter where your data is stored. Keep in mind, however, that by doing so you may be limiting
important options could make your organization more agile and competitive. If it seems inevitable that some
sensitive data will end up in the cloud, then you need to be very careful which cloud providers you choose to work
with.
3. twitter.com/firehostLearn more at www.firehost.com email sales@firehost.com call (US) +1 877 262 3473 (UK) +44 0800 500 3167
There are many criteria to take into account when evaluating a cloud provider that have no bearing on data
sovereignty. As part of your data sovereignty investigation, however, you should take into account these criteria.
A Focus on Enterprise security concerns
Any organization concerned about sensitive information should make sure the cloud providers itʼs considering are
used to dealing with organizations with similar concerns. One way is to ask for some examples of existing
customers likely to have similar concerns about data privacy and sovereignty as your organization. If the provider has
large enterprise or government agency customers, thatʼs a good sign.
Make sure the provider reacts the way it should to questions about data sovereignty. Are they familiar with the issue,
used to those types of questions, and able to provide their own informed perspective and advice on ways to address
data sovereignty issues?
Location of Data Centers
Where are the cloud provider data centers located? If youʼre a company based in the UK or Canada with concerns
about data sovereignty, for example, which of your short list of cloud providers offers data centers in those
countries? If the answer is none, or if all their data centers are located in one country or region, you may want to go
elsewhere.
Otherwise itʼs important to conduct a thorough analysis of the data sovereignty issues involved with their data
center locations. How likely is it, based on national, regional and local regulations, that an intelligence or law
enforcement entity would have the legal authority to monitor or request data stored in those locations? Itʼs
important not to simply limit your consideration to whether you think itʼs likely your data would be monitored or
requested. What are the tax implications, if any, of storing data or running transactions in those locations? There
may be local, state, province, or other regulatory and tax implications as well. What treaties do those countries have
with others regarding data sovereignty?
Location and Contract Flexibility
Most likely an organization with data sovereignty concerns will not want a cloud provider that relies solely on
standard contracts. Look for providers that are willing to negotiate with an understanding of your business and data
sovereignty needs. Chief among your concerns will be finding a provider that not only lets you choose where you
want your data or applications located, but has an established record of complying with those contract terms.
In your negotiations try to get a feel for the providerʼs awareness of the data sovereignty aspects of their data center
locations and what they might mean for your business. And make sure you ask questions about that providerʼs
disaster recovery practices to ensure your sensitive data wonʼt be backed up, snapshot, or replicated to locations
with other data sovereignty implications.
Part of your contract should be a requirement for immediate notification if the provider plans to make any changes
in data center and backup locations. And look into what will happen to your data if you discontinue the service. What
measures will the service take to eradicate your data from their systems and storage?
4. Transparency
As Ronald Reagan liked to say, trust but verify. Having assurances that your data is stored in a particular location is
not enough. You want to be able to verify this is the case. Work with a provider that is willing to be subject to an
audit of where your information is stored, including backup and disaster recovery. Check if theyʼll allow you to visit
the data centers that house your data and applications. Look for provider monitoring tools and portals that allow
you to verify location and perhaps even APIʼs that allow you to plug in your own management tools for this and other
purposes.
Encryption
For this and other security purposes you should strongly consider encrypting all your sensitive data in transit and
at rest in the cloud. Check into the encryption options offered by the provider or consider the option of encrypting
the data before it leaves your premises if possible.
Donʼt forget Data Security
This is pretty obvious but there are many other data security and compliance concerns besides data sovereignty that
should be considered and wonʼt be discussed here. Suffice it to say that there are some providers that take
enterprise level security more seriously than others.
There are certainly risks to housing applications and data in the cloud, particularly when the provider is based
abroad. However, the business advantages of cloud computing are too great to ignore for most organizations
struggling with shrinking budgets, emerging technologies, and cloud enabled competitors. By taking a careful,
methodical approach to analyzing risk and choosing a cloud provider, you can reap the benefits of cloud computing
while bringing the risks down to an acceptable level.
twitter.com/firehostLearn more at www.firehost.com email sales@firehost.com call (US) +1 877 262 3473 (UK) +44 0800 500 3167
Media Contact
Cathi Lane
Manager of Public Relations
FireHost
press@firehost.com
US +1 469 533 8133
UK + 44 800 500 8133