The recent revelations around National Security Agency spying prompted many countries outside the U.S. to take stock of their data privacy laws. And cloud customers -- who are often unaware of where their data is stored -- should also be familiar with these local regulations.
"Every country is reacting to this differently, so it largely depends on where you're located and where you're doing business and what data you're storing," said Garrett Bekker, a senior security analyst with 451 Research LLC, based in New York.
Countries such as Austria, Australia, Canada and Germany are aggressive about data sovereignty and keeping sensitive data within their borders. But regulations are still in flux, so best to err on the side of caution, Bekker said.
"The challenge is it's a lot like shooting at a moving target," Bekker explained. "You don't necessarily know what remediation you need to take and whether they'll meet the letter of the law or not."
Cloud vendors are building data centers around the world, in part to comply with emerging regulations. But customers should take their own steps to ensure compliance, Bekker urged.
First, know where a provider's data centers are physically located. From there, be mindful of data collection processes to ensure compliance with local residency laws. If possible, put language in a service-level agreement that limits where that data can reside, Bekker said.
Cloud customers can encrypt, mask or tokenize sensitive data to minimize risk. Vendors including Perspecsys, CipherCloud and Vormetric also offer data residency services.