As cloud services have become an acceptable form of IT delivery, how important is data residency? Most, if not all, cloud providers to date declare where their datacentres are located but is that enough it be located in Europe, Asia Pac or North America?
I don’t believe so, there are certain jurisdictions where not only does the data have to reside within it but the access is limited to only users that reside within that jurisdiction. This isn’t always obvious either so any selection process needs to include a full review of the local data protection and residency requirements.
This review is likely to show a multitude of different rules, regulations and laws some of which are based on civil law and others will be based on criminal law. Add into the mix laws from some countries that potentially give a government the right of access to data, that on the surface should have been protected by local jurisdictional laws, this area of cloud should be treated with a lot of thought and due-diligence.
I for one believe that as more businesses choose to use cloud services, providers will have to become far more savvy on the issue of residency; their offerings will need to develop at a more jurisdictional granular level, ie have cloud services in multiple countries rather than just based on a continent like today. This will give their clients the ability to select where their data sets reside. This will need to include application level of separation as well, for example a CRM system could appear to the user community within one company to be a single system but underneath the data is split into different jurisdictional locations.
Another area that all businesses should consider when selecting their cloud provider is the ultimate owner of the provider, once this information is obtained, then the laws of that ultimate owner’s jurisdiction need to be researched and checked, as there may well be laws that potentially override the laws that your local provider adheres to.
As you can see from this short article this is a complicated area but ignore it at your peril, you could put your business and your clients at risk.
Below is a starting point list that all companies should undertake:
- Know your provider
- Can they show proof of data residency
- Who are their ultimate owners and what are the laws within the jurisdiction that the owners reside and what are the potential impact of these laws
- How do they operate their services especially in jurisdictions that are local access only
- Understand you local data protection laws and residency requirements and assess your provider\’s ability to meet these requirements
- Does you provider give you the ability to control where your data resides
- How easy is it to move your data to another provider should a change of ownership take place that potentially puts your data at risk
- Ensure that the provider has the ability to fully delete your data including backups
The above should also be undertaken at regular intervals as this area is changing constantly and therefore needs regular review.
I also think it will have an affect on long-term revenue streams of some providers that don’t give this area the level of investment and priority it obviously already requires. Vertical clouds that focus in certain areas and jurisdictions will also start to become commonplace.
This is a interesting area of cloud that is constantly moving but it is a area that I believe will become more important as the world moves ever more digital and the protection of digitised data becomes an ever more important area for businesses and consumers alike.
By Julian Box, Posted 10th September 2012.