Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >
According to a recent Gartner report entitled "The Snowden Effect: Data Location Matters," the physical location of data is becoming increasingly irrelevant, and will be replaced by a combination of legal location, political location and logical location in most organizations by 2020.
Gartner research vice president Carsten Casper said in a statement that the number of data residency and data sovereignty discussions had soared in the past year in response to Edward Snowden's revelations regarding NSA surveillance.
"IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public," Casper said.
"Business leaders must make the decision and accept the residual risk, balancing different types of risk: ongoing legal uncertainty, fines or public outrage, employee dissatisfaction or losing market share due to a lack of innovation, or overspending on redundant or outdated IT," he said.
Beyond the physical location of data, Casper said many IT professionals aren't aware of the concept of legal location, which is determined by the legal entity that controls the data. "Statements like 'it's illegal to store such data outside the country' are often interpretations of legal language that is far less clear," he said. "Each organization must decide whether they accept those interpretations."
Political location is also a factor, affected by such considerations as law enforcement access requests and questions of international political balance -- though Casper said those concerns should really only be relevant to public sector entities, NGOs, companies that serve millions of customers, or those whose reputation is already tainted.
"Unless you fall into one of those categories, you can discount media reports on data residency concerns," Casper said. "While public outrage is still high about data storage abroad, there is little evidence that consumers really change their buying behavior."
Finally, logical location is determined by who has access to the data -- for a Germany company working with the Irish subsidiary of a U.S. cloud provider that stores an encrypted backup of all data in a data center in India, the legal location would be Ireland, the political location would be the U.S., and the physical location would be India, but the logical location could still be Germany.
"None of the types of data location solves the data residency problem alone," Casper said. "The future will be hybrid -- [organizations] will be using multiple locations with multiple service delivery models. IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO."
Still, that doesn't free companies from a responsibility to clearly understand the location of all sensitive data -- a recent survey by the Ponemon Institute found that only 16 percent of IT and IT security professionals know where all of their sensitive structured data resides. "The majority of respondents agree that not knowing the location of data poses a serious security threat," Ponemon Institute chairman and founder Dr. Larry Ponemon noted.
Photo courtesy of Shutterstock.