sommai - Fotolia

Cloud data residency an issue of global proportions

While a cloud provider's vast network of data centers helps maintain uptime and availability, it can be a compliance nightmare for some IT pros.

Data residency in the cloud has long been a double-edged sword for IT. On the one hand, allowing a cloud provider to host your data in different locations across the world ensures uptime, availability and performance. On the other, it makes compliance with local data residency laws a major IT headache.

Despite security tools and emerging industry standards that offer help, IT pros should never take cloud data residency issues lightly. As the "custodian" of their employees' and customers' data, an enterprise is responsible for ensuring that data is protected and complies with local data privacy laws, said Francoise Gilbert, managing director of IT Law Group, a Silicon Valley-based law firm focusing on information privacy and security issues.  

And that responsibility is not eliminated when data moves to the cloud. As a general rule, the company that owns or acts as the custodian of the data is responsible for the data, according to Gilbert, who is also general counsel for the Cloud Security Alliance.

"When that entity purchases cloud services, it is responsible for conducting the appropriate due diligence to determine whether the services offered by the cloud service provider meet its legal, compliance, security and other requirements," she said.

The cloud data residency conundrum

There are two major issues that make it difficult for organizations to comply with local data residency laws. The first is that an enterprise doesn't necessarily know the country or region in which their cloud provider hosts its data.

"All cloud is is a bunch of servers in someone else's data centers and not yours," said Garrett Bekker, senior security analyst at 451 Research LLC, based in New York. "Granted, there are different architectures and it's a lot more complicated than that, but that's what it is at the end of the day. The problem is you don't necessarily know where [those data centers] are."

Major infrastructure as a service providers, such as Amazon Web Services (AWS), Microsoft Azure and Google, allow users to select the specific geographic regions in which their data is hosted. AWS, for its part, states on its website that it "does not move or replicate customer content outside of the customer's chosen region or regions."

But given the nature of virtualization and redundancy in the cloud, it's still difficult for users to gain complete transparency into where, exactly, their data is, said Seth Proctor, CTO at NuoDB, a NewSQL database provider based in Cambridge, Mass. and an AWS technology partner.

"Even if Amazon is really good about maintaining that Frankfurt is the only place where those disks are running, those disks are virtualized and, at any given point, they might shut them off, and decide to recycle them and throw them away -- so who knows what happens to the data," said Proctor, who also spearheads data residency efforts within the Object Management Group (OMG), an industry standards consortium.

The second issue that complicates data residency in the cloud is that data protection laws vary -- often substantially -- between different geographies.

"You are dealing with multiple national jurisdictions, all with their own definitions and requirements," Bekker said.

To complicate matters further, many countries' data privacy laws are in flux. The European Union, for example, is reforming its Data Protection Directive to create more consistency across the data protection laws in its 28 member states.

Mitigating cloud data residency risks

Despite these hurdles, there are ways an enterprise can gain more transparency into where their cloud data lives, and to comply with local data regulations.

First, organizations should dedicate a specific IT role to cloud data residency and compliance. In some cases, this could be a company's CTO or CIO. Some organizations, on the other hand, create roles such as Chief Data Officer, Chief Compliance Officer or Chief Risk Officer to lead the charge.

Secondly, an enterprise should be as thorough and up-front as possible when communicating its compliance needs to potential cloud service providers (CSP). Even better, users should work with their providers to include specific data residency requirements within their contracts or service level agreements. 

"In the end, it is most important that CSPs and cloud users communicate ahead of time, and during contract performance, so that each party is clear on the commitments made by the other parties," Gilbert said.

Proctor, alongside the OMG, hopes to streamline this process. OMG in April created the Data Residency Working Group to study the technical and legal issues surrounding data residency in the cloud. The aim of the group, which consists of cloud vendors and users, is to create a common technical framework for data residency across the industry.

"When you store data on a cloud, you want to be able to say 'This has to conform to German privacy laws and therefore it has to be stored in Germany, and cannot be shared outside the borders of the country,'" said Richard Soley, chairman and CEO of OMG. "There needs to be a technical way to say that, so that you can automate it and so that the cloud provider can carry out those requirements the same way they carry out requirements for security, in general, and reliability and so forth."

The group hopes to develop a common data residency "taxonomy" to improve how users and vendors communicate about the issue.

"It feels a little bit like you're at some UN conference -- everyone sort of knows how to communicate, but is speaking a different language," Proctor said. "Things get lost in translation."

With recent events like the NSA surveillance program making data security a hot-button issue, more and more organizations also look to cloud encryption tools, particularly for data that cannot cross a border or move outside the enterprise's control.

Data encryption tools from vendors including Perspecsys and CipherCloud offer data encryption platforms to mask or tokenize data before migrating it to the cloud. This allows enterprises to maintain regulatory compliance in the cloud, regardless of location, said Gerry Grealish, CMO at Perspecsys. 

Kristin Knapp is site editor for SearchCloudComputing. Contact her at [email protected] or follow @kknapp86 on Twitter.

Next Steps

Seven cloud security risks to avoid at all costs

Recent breaches highlight need for cloud encryption

Understanding public cloud risks and costs

Mastering data compliance in the cloud

Dig Deeper on Cloud application monitoring and performance