Issue link: https://cp.revolio.com/i/359333
www.datacenterjournal.com 4 | THE DATA CENTER JOURNAL I 've been working in or around IT se- curity for more than three decades, and I can't remember the last time that a cyber-security issue received such sustained attention from the public media. It has been over a year since former NSA contractor Edward Snowden released a trove of documents revealing the large-scale collection, analysis and storage of personally identifiable informa- tion—much of it from the data centers of telecommunications, Internet and cloud service providers. And people are still talk- ing about it. But conversations about data sovereignty and data custody—re-ignited by Snowden's revelations—are not only important to private citizens. ey pose, as you'll learn in this article, significant challenges for the enterprise as well. So to the question of the current state of IT security and next steps, addressing the issues of data sovereignty and data custody is essential. IT INFRASTRUCTURE DECISION MAKING IN A POST-SNOWDEN WORLD e Snowden revelations are not the only factor making data sovereignty and data custody challenging issues for the enterprise. Another significant factor is the coincident proliferation of global IT infra- structure options and the rising ubiquity of the cloud. ere's no question that this pro- liferation of options is key to our ability to manage the ever-increasing amount of data we generate and consume. But all these op- tions, and the global nature of them, make IT management much more complicated than it was in that not-too-distant past. When your IT infrastructure is located on your premises or colocated with a data center provider, there's no question where your data is. You have the key to the cabinet; the answer to the question "Who has custody?" is easy—it's you. But when your data applications or infrastructure— even some of them—are in the typical public cloud, it can be difficult or impos- sible to say where in the world your data resides, much less where it has been. (at is data sovereignty.) e amount of control you have over your data depends on the laws of the country where it is and the poli- cies of the cloud service provider. (at is data custody.) Enterprise leaders overwhelmingly understand the importance of location when it comes to storing company data, and many have taken or are planning new action to protect the privacy and security of their data. Yet the fact remains that data sovereignty and data custody present legiti- mate challenges for global enterprises. And those challenges are not going away. THE ISSUES: DATA SOVEREIGNTY AND DATA CUSTODY Data sovereignty is the question of which sovereign's (i.e., country's) laws gov- ern your data. e concept is oen taken to mean that your data is subject to the laws of the country in which it is located, but that may not be the case; data sovereignty may instead mean that the data is subject to the laws of the country in which it originated, or the laws of the country in which the cloud provider is headquartered. In the cloud, data sovereignty can become an issue because different countries have different laws governing the collection, use, storage and transmission of data within their borders. Sometimes the laws that apply are less "friendly" than your own sovereign's laws, putting enterprise data and customer data at risk. In other cases, the laws are significantly more strict, requiring levels of privacy protection, for example, that your cloud provider may not be equipped to accommodate. Navigating these different (and sometimes conflicting) laws can be quite difficult. It depends on knowing—and con- trolling—where your data is. If you don't know where the servers that hold your data are, you don't know whose rules you might be beholden to. And if you don't know (or can't control) whose rules you might be beholden to, you can't know whether the jurisdictional laws in that location are in sync with your corporate policies and your sovereign's data laws. In fact, many of the benefits of the cloud are based on the premise that data is moved swily between data centers as cloud providers distribute workloads in or- der to optimize the capacity and efficiency of their servers, and to create better resil- iency for business continuity of operations. Yet "the ease with which cloud resources can be allocated and reallocated makes it more likely that it will be done without an appropriate review of the relevant legal issues." 1 1 QMUL Cloud Computing Project, "What Have the Snowden Revelations Changed Your Approach to the Cloud? 95% of ICT decision makers believe location matters when it comes to strong company data 88% are changing their cloud buying behavior 84% feel they need more training on data protection laws 52% are carrying out greater due diligence on cloud providers than ever before 38% are amending their procurement conditions for cloud providers 31% are moving data to locations where the business knows it will be safe Source: NTT Communications, March 2014