Cloud computing and SaaS are on the rise in a big way, but for some companies, there’s an issue that is starting to come up in a lot of conversations with their service providers: the geographical location of their data.
While it may not seem a big deal to some, conflicts with national privacy laws add one more agenda item you may have to consider before making the move to the cloud.
Who’s on First?
“Geographical location of data was a question a few years ago. Then it dropped off the radar,” Jim Latimer, vice president of client services for CentriLogic, told the E-Commerce Times. “Now, with the increase in cloud computing and Software or Infrastructure as a Service, customers are bringing that question back to the table.”
Alternative delivery models are increasing the significance of location as a risk factor, confirmed Jay Heiser, research VP for Gartner.
“It’s something that is very badly misunderstood right now,” he told the E-Commerce Times. “If you don’t know where your data is, you have very little basis for understanding the risks associated with it, including availability.”
Even data in motion is something that needs to be considered. Few people in Canada realize, for example, that a lot of mundane Web browsing goes to the U.S., according to William F. Maton, director of the Toronto Internet Exchange (TorIX).
“Of course, there are economies of scale in connecting through the U.S.,” he told the E-Commerce Times, “but once that information crosses a greater expanse, it becomes somewhat public — and possession is nine-tenths of the law.”
Rules Is Rules
One sticking point for a growing number of organizations is the USA Patriot Act, which, among other things, gives the government the authority to obtain copies of data from providers, while prohibiting them from disclosing it to their customers. There is increasing concern that the practice may be in direct conflict with national privacy laws outside the U.S., such as PIPEDA (Personal Information Protection and Electronic Documents Act) in Canada and the Data Privacy Protection Directive in the EU.
“All Canadian organizations are responsible for the privacy of information they collect under PIPEDA,” Latimer explained. “By hosting in the U.S., Canadian organizations may be exposed to risk because of their obligations under PIPEDA. EU companies are in the same situation.”
“The number of clients coming to us with concerns about the Patriot Act is absolutely amazing,” Simon Keogh, vice president of marketing for Tenzing Managed IT Services, told the E-Commerce Times. “European companies wanting to target North American markets don’t want to deal with that.”
Potential conflict with the Patriot Act isn’t the concern companies have about geography, noted Tim Varma, vice president of product development for PEER 1 Hosting.
“For some it could be a concern over government law or compliance,” Varma told the E-Commerce Times. “For others, it’s simply a personal preference. In many cases, it depends on the vertical and their compliance mandates. Sometimes there are business preferences or internal rules that exist. Whatever the reason, customers have to do their due diligence around geography and risk, including where their data is being housed and what kind of security measures are in place.”
When you get to the cloud, however, it all gets a bit more vague.
“It’s in the Internet, which means a theoretical data space,” explained Varma.
“Can an Amazon or Google tell you the exact location of your data? However, more and more organizations need to know where that data is and be able to pick the location where it can be housed. As we transition through the processes and ideas about cloud and how computing is done, as well as compliance and regulations, location will become more and more of an issue,” he predicted.
“I’m sure Amazon has huge hosting facilities, but where are they in Canada or Europe?” asked TorIX’s Maton. “Can you specify which location you want in your contract? Maybe we need riders that tell you where your data is parked in the cloud — but would they be receptive to that?”
These “housing concerns” have led enterprises to consider alternative hosting strategies, such as distributed data or multiple installations. This could mean engaging different geographical locations or finding providers that can accommodate distributed data or multiple installations.
If a company has a Web site that collects information on customers, for example, it may need to develop sites with different databases for U.S. and Canadian customers. This is already a common practice with ad agencies when tracking online campaigns for different countries.
Data mining might mean having to bring information in and dispose of it in accordance with local legislative requirements once results are tallied — or send it back “into the geography it came from,” said CentriLogic’s Latimer. “Generally, most organizations are respectful of the data they collect, so it’s not a huge step to add a geographic-related solution. Besides, virtualization is making it much easier to split applications and data processing into geographies where they are obligated to be.”
The easiest thing to do is to just make sure that data stays wherever you collect it or your customers reside, suggested Latimer. “Using providers with multiple facilities or cloud providers with different discrete clouds gives you the ability to do that. It’s a matter of moving processing around the data versus the other way around.”
“It makes sense to keep data where it belongs, and closer to your clientele,” said Maton. “Among other things, it makes it easier for law enforcement and security.”
Under the Hood
Organizations should analyze the salient aspects of all the factors — from data location to security and risk, advised Gartner’s Heiser.
“Understand where your data is and who is in control of it,” he said. “That’s a good place to start. Then look at the technology issues, such as infrastructure, platforms, and risk management. The fact is, the aspects of cloud computing that make it appealing from an economic point of view make it extremely impossible to assess the risk. Plug and play suggests a lack of transparency — and if you don’t know what’s under the hood, you probably can’t [assess it]. People really need help with all this.”