In-Depth

Keeping Data Close to Home

The more information you have, the more you must worry about where it's stored and if your organization is in compliance with the global potpourri of industry and government regulations.

by Jim Latimer

Businesses looking to outsourcing and cloud computing services are starting to ask some new questions of their providers, such as "Where is my data?" The control and distribution of data is more than just an organizational housekeeping issue these days.

As more personal information crosses multiple borders and boundaries as it traverses the public Internet, companies are becoming increasingly concerned about meeting privacy legislative requirements within their own jurisdictions. Provisions within PIPEDA in Canada and the EU Data Privacy Protection Directive, for example, are in direct conflict with certain allowances in the U.S. Patriot Act in terms of access to personal information.

As the use of managed and cloud services grows, providers working with international customers need to have the resources to provide multiple location choices or discrete/segmented cloud services in various jurisdictions. Increasingly, today's customers want to have the ability to pick and choose their data center locations to ensure that the data is maintained in accordance with the appropriate legislative requirements.

In simple terms, there has been a growing movement to bring the processing capability to the data versus the other way around. Although this may seem like a tall order, virtualization (among other technologies) can play a key part in allowing enterprises to move, geo-locate, decentralize or target applications and data processing easily and cost effectively.

To Each His Own

Organizations and/or applications, of course, have different data storage requirements. Health-care facilities, educational and financial institutions, and government agencies are among the most vigilant when it comes to the storage, retrieval, and use of personal information. At the same time, given the overwhelming volumes of data and complexity of managing it, an increasing number of these entities are looking to hosting or managed services, simply as a flexible and cost effective means to handle these challenges.

Of course, not all data falls within the parameters of privacy legislation requirements. For example, e-mail addresses and company information do not, but asking for a mother's maiden name does. The data collected through Web forms requesting business contact information, or user behavior tracking tools such as Google Analytics, typically do not fall under what is specified in a variety of privacy acts. Other free applications, however, could if the nature of the data contains personal information. For example, depending on how they are utilized, services such as Google Apps or salesforce.com could include content that is deemed private and therefore falls under legislative scrutiny.

Although the geographical control of data is easily managed when dealing with private hosting infrastructures, the increasing popularity of cloud computing and SaaS offerings has dramatically increased the number of service offerings available and has triggered growing concerns over where data is being stored and accessed when it's not under one's own roof.

The "elastic compute cloud" as it is known in some circles was commoditized when introduced by big players such as Amazon, making cloud applications and infrastructure services became cheaper and more accessible. Within a relatively short time frame, the cloud evolved into a global computing capability, and IT managers began asking questions about the physical whereabouts of data within an infrastructure model that by its very nature has no geographical boundaries or restrictions.

The U.S. Patriot Act in particular has raised concerns for jurisdictions that have stringent privacy laws of their own and created uncertainty and doubt on the part of internationally based companies about hosting data in the U.S. Since 9/11, the government has the authority to issue National Security Letters to obtain copies of data from U.S.-based providers while prohibiting providers from disclosing these requests to customers.

This runs contrary to stringent privacy acts such as PIPEDA in Canada, and the EU Data Privacy Protection Direction. In both jurisdictions, privacy laws demand that any request for data go through the courts. Yet by hosting data in the U.S., a National Security Letter thought to be relatively rare could result in disclosure of private information that would compromise a company's ability to comply with its own country's privacy laws.

U.S. operations for their part are not exempt from concerns when hosting data in international markets. Google, for example, faced this issue when dealing with the Chinese government's censorship laws. It quickly discovered that "cloud control" is something that is far from being taken lightly in other geographies. The question, therefore, is not if there is a risk, because in some cases data location is not a concern. (Depending on their usage, free public services such as Gmail and MSN can remain unbound.)

Few enterprise-level users have actually considered the deeper ramifications of the physical storage of data, especially when transitioning to outsourced data center services. As they become increasingly aware of potential issues, and fall under the scrutiny of increasingly stringent legislative bodies, they are now demanding more effective ways to leverage outsourcing services in a way that allows them to enjoy all the advantages of cloud while maintaining data closer to home.

Divide and Conquer

One way to securely and cost-effectively approach the data delineation challenge is to engage separate providers in each location. An alternative for anyone operating in multiple jurisdictions is to seek internationally established hosting or managed services providers that can accommodate distributed data or multiple installations in multiple geographies.

There are several instances where this approach may be critical, such as:

  • Universities and colleges have been among the first to restrict the location of data and ban the use of services such as Gmail to protect student information
  • Health-care facilities maintaining confidential patient records that are required to keep data within designated regions
  • Financial institutions and payment-processing services
  • Online advertising campaigns that collect personal information that must be segmented to comply with national privacy requirements
  • Government agencies collecting information on private citizens

Of course, a majority of organizations doing business today are respectful of the data they collect. For these enterprises, would not face a significant transition to engage in a data delineation strategy. This may not be as challenging as one might think. Advances in virtualization are making it easier to split applications and data processing functions into different, distinct geographical locations.

This is easily achieved when managing your own infrastructure, whether at your own data center or through a co-location service. When working with providers that engage in data-related managed services, however, it is essential that they provide details on where and how data is stored and who has access to that data.

Another critical component is how backup data is housed geographically. Whereas it used to be common practice to have backup facilities in a distant location from the source, it has proven to be more practical to have those resources within a 100-mile radius to ensure accessibility. Today's advances in storage replication technology are making the backup part of the data management equation easier.

Although a good portion of this component relates to infrastructure and applications, an equally important component of data delineation is performing the necessary due diligence to ensure that any venture into cloud/SaaS meets privacy regulations where applicable. That includes putting the appropriate access control measures in place, ensuring that any requests for information only include the information you need, and familiarizing yourself with the appropriate privacy bodies and their requirements.

Last but not least, ensure that whatever data you collect stays where it belongs.

Jim Latimer is vice president of client solutions for CentriLogic, a leading provider of hosting, managed services, and cloud computing solutions. Mr. Latimer can be reached at [email protected]

Must Read Articles