This content is part of a program managed by the Economist Intelligence Unit, sponsored by Accenture and Pegasystems. “Digital Evolution: Adapting Business for a Digital World” aims to shed light on the world of digital business—the strategic imperatives, challenges, complexities and pitfalls. All “Digital Evolution” content can be found here.
Here’s a conundrum: If a US-based company uses a British cloud service provider whose data center is actually in India, but only the US staff is able to access the encrypted data, where does the data actually reside?
The answer, according to Gartner analyst Carsten Casper, is that the data is “logically” in the US. However, three other ways are available for considering data ownership: physically, legally, politically. Each could turn up a different answer.
Before cloud computing, the location of data was not in question—it was on a server or a computer in a defined location. Now that it’s possible to access data halfway around the world in less than a second, data sovereignty (also called “data location” or “data residency”) is a complex topic that is requiring companies to rethink their assumptions about data flow and security.
This isn’t just a theoretical debate. Companies that run afoul of contracted stipulations about data sovereignty can face fines or legal action. For instance, a large tech company is currently trying to block a move by US prosecutors to search emails on one of its servers in Ireland, where a customer account is connected to a narcotics investigation.
“The meaning of data sovereignty seems to be quite straightforward,” says Casper. “But then I talk to customers, and, depending on their background, they have very different understandings of what it means,” he says. “Privacy advocates, IT people, lawyers, business executives, government sector, private sector—all have different understandings of where the data really is.”
What is clear, however, is that organizations must know where their data is at all times. The issue, which began with the passage of the U.S. Patriot Act in 2001, got a second wind after Edward Snowden revealed in 2013 that the National Security Agency had accessed private data stored on the servers of US companies. The issue made headlines again when the National Security Agency’s bulk data collection program was shut down earlier this year—and then allowed to temporarily resume. All of this attention translates into pressure for more accountability and responsibility for those who have access to data. As a result, many foreign firms have required that their data reside outside of the US.
The actual location of data is a hot-button issue, says John Igoe, VP of Cloud Operations, Security and Technology for Pegasystems. “If you talked to me five years ago, it probably would not have come up, but right now it’s top of mind.”
Legal constraints around data sovereignty vary by country and region, says Igoe. Germany has very strict requirements about the use of data related to its citizens as do many European countries, particularly with information like health records. “They want to make sure they can trace the origins of that data and the residency of that data,” he says.
As globalization grows, many US firms are building data centers abroad to satisfy such requirements. Apple, for instance, plans to spend $2 billion to build data centers in Ireland and Denmark—in part to be able to store European consumers’ data on European soil. Microsoft has two data centers in the works in Canada for the same reason.
For smaller firms, Igoe says vigilance is required. If a company uses multi-tenant cloud services, then data residency isn’t always clear, so it is imperative that companies ask.
It gets even more complicated, says Kim Singletary, Director of Product Marketing for Cloud at Pegasystems. Mobile adds another layer of intricacy to the issue. “Data is flowing in every single location,” she says. “It’s not all being stored in one monolithic area anymore. You have micro-pockets here and there.” Singletary prescribes prioritizing data. “The key is to focus on what data is necessary,” she says, “and how to protect it in motion and at rest.” Attention must be paid to how data is structured and architected with applications and solutions, Singletary explains. “However, data use and flow are not really addressed, which is the higher concern. Almost all modern applications are using a hybrid data model in that data can reside in memory and multiple data sources.
“Cloud computing is evolving quickly,” continues Singletary. Organizations are mixing all types—public cloud, private cloud and traditional data centers—to accommodate growth. Decisions have to be strategic. Companies have to balance risk with evolving their business and supporting an elevated digital customer experience. “Speed is always risky, and the velocity in which business is transforming can be a concern if proper diligence and awareness are not also addressed,” she says.
Technologies, devices and data demand are moving at a dizzying speed, but the good news is “the tools to manage and track this type of concern have really advanced over the last five years,” Igoe says. In particular, data segmentation and data tracking related to entitlement and access in cloud computing have gotten better and now allow companies to segment where data resides and to segment the access.
Even as questions over server geography are sorted, data sovereignty is evolving, says Igoe. Referring back to the question of a US company storing data in Great Britain and managing it in India, Igoe believes that the location of the data is becoming less important than the location of the people who have access to it.
Cloud computing may compound the complexity of data location, Singletary notes. And it may have an element of risk—but that’s a reality of doing business in the digital age. Because, she says, the bigger question is, “What is the risk of not evolving?”