Prime Factors Blog

It's Midnight -- Where Do Your Regulators Say Your Data Is Located?

Posted by Jeff Cherrington on Jul 7, 2014 12:00:00 PM

Carsten Casper promotes the idea that physical location of data is becoming less relevant to the decisions that CIOs make regarding outsourced storage and processing. Casper, a data security analyst at Gartner, states, “IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public.” The consequence is that physical location of data is only one of four different location elements that may come into consideration when making decisions.

Gartner breaks them down as:

·         Physical location – site of the data center housing the host servers

·         Legal location – state of charter for the entity that “controls” the data in terms of its appropriate use 

·         Political location – span of influence that can claim statutory jurisdiction over the access to data, whether that is demand for access or repercussions to the data owner for increased risk to local jobs

·         Logical location – the collection of those individuals and systems that are granted end user or administrative access to the data

Casper foresees evolution of this issue to the point that, by as early as 2020, physical location plays the smallest role of the four in decisions, while always remaining a factor. He poses an example of a German company contracting with an Ireland-based subsidiary of a US chartered cloud provider. The example expands that the contracting German company is fully aware that the outsourcer uses data centers in India, to take advantage of lower cost of labor. In this case, the legal location of the outsourcer would be Ireland, the political location would be the US, and the physical location in India. With appropriate controls in place, the logical location (the location of those to whom access to the data is granted) could still be Germany.

“For that to happen, all data in transit (from Germany via Ireland/U.S. to India) and all data at rest (in India) would have to be defensibly encrypted, with keys residing in Germany. Indian IT administrators would not be able to access the unencrypted data; they are only administering servers, network infrastructure and databases. Nor would the U.S. entity be able to hand over unencrypted data to the NSA. Nor would any non-EU entity be able to go after the data without
following EU law.”

This stipulation carries many thorny technical complications, particularly when the cloud provider is contracted for more than simple storage services. Once value-added processing is outsourced to a multi-tenant third party administered environment, close management of the cryptographic keys applied to encrypt & decrypt data becomes much more complex, and the consequences of compromise potentially much more severe.

For more information about Prime Factors’ EncryptRIGHT and its application to closely managing encryption/decryption keys so that cloud data and processing can remain solely within the scope of an enterprise' location, see the discussion of EncryptRIGHT integration for cloud deployment, or contact us to inquire about a free 30-day evaluation.