While most users don’t care where cloud services are physically located or hosted, both local and international businesses and federal and state government entities should pay special attention to the actual, physical location of the services being provided.
The crux of the problem is that there’s no guarantee that your data in a cloud service being hosted outside of the United States is protected. The laws, policies and regulations vary among countries regarding access to — and control of — data. If that data were to end up in a less-congenial country, it is conceivable that you could lose control over your data. The challenge of controlling the geo-location of data is known as data sovereignty. After all, it’s hard to be the king of your data if it’s taken hostage in a foreign nation.
Handling sensitive data is hardly a new problem, even when crossing borders. Our businesses and governments have had extensive experience handling data among countries. For example, a U.S.-based company storing personally identifiable information such as customer data belonging to residents in the European Union must conform to U.S.-EU Safe Harbor Principles. Additionally, in government, there are strict rules dictating the management and protection of personally identifiable information as well as other types of sensitive data. The key difference with cloud services is that the data is no longer hosted within our own physical data centers. With cloud services, the possibility exists that our data could be stored outside of our country’s borders without our knowledge. Furthermore, by crossing those borders we may lose some protections or even be accountable for additional protections for which we aren’t aware.
In June, the FBI confiscated servers and storage from a Swiss Web-hosting provider’s data center located in Virginia. The suspect’s assets were seized as well as systems belonging to innocent tenants sharing the same rack space. If this were to happen to a cloud provider hosting your data in a less-benign country, what might become of the data that was seized? It’s more than probable that that country’s agents will gleefully sift through all of your data and do with it whatever they please.
At a National Institute of Standards and Technology conference last April, federal CIO Vivek Kundra said, “It is not a question of technology. [Data sovereignty] is going to be a question of international law, and treaties that we will need to engage in the coming years.” While international law is certainly a key element, there is a technology component that is missing. There’s no current technology that allows subscribers to verify the geo-location of their data. Sure, a provider may say your data is located within your borders, but there is no way for subscribers to independently verify.
Until the laws get hammered out and geo-location verification technology is developed, the only way to protect ourselves is to scrutinize a cloud provider’s service level agreements . Check the fine print to ensure that you exclusively own your data and that it will reside within the borders that are acceptable. Determine where the provider has its data centers and what services are running in those data centers, and verify that they don’t reside in foreign data centers.
Fortunately, there are many cloud providers on the market. If they can’t conform to your requirements, move on.
David Blankenhorn is chief cloud technologist at DLT Solutions, a software information technology company based in Herndon.