Enterprises spend a lot of time worrying about where their data centres are located and associated data sovereignty issues. But in an era where data moves rapidly and the legal principles underpinning its use don't always reflect reality, thinking solely about physical location doesn't make sense.
Globe picture from Shutterstock
In a recent report, Gartner analyst Carsten Casper says that queries about data sovereignty issues have been rising over the last year. (Casper will be appearing at the Gartner Security & Risk Management Summit in Sydney next month, which Lifehacker will be covering.)
The original trigger of many of those queries was concerns over whether the US Patriot Act might mean the US government could access data stored with US-operated cloud providers (which covers most of the dominant providers, including Amazon, Microsoft and Rackspace). In recent months, Casper said, it has shifted to concerns over data being accessed by the NSA in the wake of Edward Snowden's revelations about its activities.
Casper argues that rather than focusing on purely physical location of data centres, businesses should instead focus on three other data location issues:
Legal location: Ultimately, Casper argues, the legal location is determined by where the entity which controls the data is incorporated. This can be difficult to determine, since multiple parties can be involved (the original owner of the data, the overall operator of a cloud service, the smaller entities established to run specific individual data centres). Data sovereignty issues do often reflect concerns over legal location.
Political location: Irrespective of legal issues, a data centre location might prove unpopular. For instance, if a company shifted its data centre offshore at the same time as relocating a call centre, there's likely to be a consumer outcry. However, Casper notes that the actual impact of such outcries in terms of sales is likely to be minimal, unless the business is extremely large or is a public sector entity.
Logical location This is determined by who has access to the data, and is likely to be the main concern for businesses going forward, Casper suggests:
For example, a German company signs a contract with the Irish subsidiary of a U.S. cloud provider, fully aware that a backup of all data is physically stored in a data centre in India. While the legal location of the provider would be Ireland, the political location would be the U.S. and the physical location would be India, logically, all data could still be in Germany.
That does require careful planning, however:
For that to happen, all data in transit (from Germany via Ireland/U.S. to India) and all data at rest (in India) would have to be defensibly encrypted, with keys residing in Germany. Indian IT administrators would not be able to access the unencrypted data; they are only administering servers, network infrastructure and databases. Nor would the U.S. entity be able to hand over unencrypted data to the NSA. Nor would any non-EU entity be able to go after the data without following EU law.
Physical location is never going to be irrelevant, if only because power availability and cost remain such a major concern for data centre operation. However, focusing solely on that aspect and ignoring the others could be risky.
Is there an obvious solution to these issues? Sadly, no. "Business leaders must make the decision and accept the residual risk, balancing different types of risk: ongoing legal uncertainty, fines or public outrage, employee dissatisfaction or losing market share due to a lack of innovation, or overspending on redundant or outdated IT," Casper wrote.