Physical location of data to become increasingly irrelevant in post-Snowden era: Gartner

The physical location of data still matters, but will become increasingly irrelevant and will be replaced by a combination of legal location, political location and logical location in most organisations by 2020, reports Gartner.

Carsten Casper, Gartner research vice president, says the number of data residency and data sovereignty discussions has soared in the past year, stalling technology innovation in many organisations.

Originally triggered by the dominance of US providers on the Internet and the Patriot Act, the perceived conflict was then fuelled by revelations of unexpected surveillance by the National Security Agency (NSA) made public by Edward Snowden.

“IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public,” says Casper.

“Business leaders must make the decision and accept the residual risk, balancing different types of risk: ongoing legal uncertainty, fines or public outrage, employee dissatisfaction or losing market share due to a lack of innovation, or overspending on redundant or outdated IT.”

The Gartner report identifies four types of data location:

Physical: People equate physical proximity with physical control over data and security. Although everybody knows that locally stored data can be accessed remotely, the desire for physical control still exists, especially among regulatory bodies. Gartner advises organisations not to dismiss concerns about physical location, and instead balance the discussion with other types of risk.

Legal: Gartner says many IT professionals are not aware of the concept of legal location. The legal location, it says, is determined by the legal entity that controls the data (the organisation). There could be another legal entity that processes the data on behalf of the first entity (such as an IT service provider) and a third legal entity that supports the second one in that endeavor (e.g. an offshore data centre).

“Statements like ‘it's illegal to store such data outside the country’ are often interpretations of legal language that is far less clear,” says Casper. “Each organisation must decide whether they accept those interpretations.”

Political: Considerations such as law enforcement access requests, use of inexpensive labour in other countries that puts local jobs at risk or questions of international political balance are more important for public sector entities, nongovernmental organisations (NGOs), companies that serve millions of consumers or those whose reputation is already tainted.

“Unless you fall into one of these categories, you can discount media reports on data residency concerns,” says Casper. “While public outrage is still high about data storage abroad, there is little evidence that consumers really change their buying behaviour.”

Logical: This is emerging as the most likely solution for international data processing arrangements and is determined by who has access to the data, according to the report. An example, for instance, will be a German company which signs a contract with the Irish subsidiary of a US cloud provider, fully aware that a backup of all data is physically stored in a data centre in India.

While the legal location of the provider would be Ireland, the political location would be the US and the physical location would be India, logically, all data could still be in Germany.

For that to happen, all data in transit and all data at rest (in India) would have to be defensibly encrypted, with keys residing in Germany. With such an architecture there is an increase in cost and complexity and a reduction of usability through functions like preview and search, mobility and latency, says Gartner.

“None of the types of data location solves the data residency problem alone,” says Casper.

Prepare for the 'hybrid' model

He predicts the future will be “hybrid”, where organisations will be using multiple service delivery models.

“IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO.”

Send news tips and comments to divina_paredes@idg.co.nz

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.