Data Residency and Legal Questions About the Cloud

With the official Microsoft Office 365 launch last week, and all its related build-up and hoopla, I've been speaking with a lot of cloud vendors lately. Naturally, everyone wants to share what they can do to help customers who plan to adopt Microsoft's cloud-based collaborations suite that features Exchange Online, SharePoint Online, and Office Web Apps, among other features. However, one topic that continues to surface around cloud solutions such as Office 365 is growing legislation that mandates where data can be stored.

Perhaps the best-known example of this type of requirement comes from Canada where, in reaction to the US Patriot Act, Canadian companies are forbidden to use cloud services that store data on US soil. Basically, Canada and other governments that enact such legislation are trying to protect their citizens by ensuring that data about their citizens is stored where that particular government body has legal control over what happens to the data. So, the Canadian government doesn't want its citizens' data to be seized as a result of provisions of the Patriot Act if it happens to reside in a data center in the United States.

I spoke specifically about this issue of data residency with Martin Tuip, an Exchange and messaging expert with information management services company, Iron Mountain. "Countries will adopt these laws and regulations to protect their citizens," Tuip said. "Certain types of data must be stored where governments have legal jurisdiction over it, which technically means within its borders." Tuip pointed out European legislation as well as recent laws passed in US states such as Massachusetts and Nevada as the possible start of a trend down this more restrictive road.

The question that arises, if this trend continues, is what effect will it have on adoption of cloud computing overall, and specifically on adoption of hosted messaging and collaboration services which rely on storing personal data? Rami Habal, director of product marketing for email security vendor Proofpoint, said, "Data residency, the issue around where I store my data, is extremely important, especially for multinationals with geographically disbursed offices in different jurisdictions." Habal was quick to point out that Proofpoint customers are able to choose the specific data center where their data is stored; many other cloud vendors have told me the same thing (although I haven't heard this said about Office 365).

But what if the vendor doesn't have a data center in the correct political geography? "I think encryption technology will play a part of that, and encryption architecture," Habal said. "If the customer has the key, and the data is stored encrypted, even outside the country in question, is that good enough? Will those types of issues start challenging people's notions of data residency as well?" In fact, encryption is already recognized in the case of the Nevada law:

So, if encryption is considered "good enough" to allow data storage outside geographic boundaries, perhaps companies have nothing to worry about if they want to move to cloud computing. However, what about where encryption isn't specified as acceptable? And what about the passage of future laws that could change or reverse practices companies depend on today? No one wants to implement a major business system such as hosted messaging only to find out six months later that their government has just enacted legislation that will require them to change back to an on-premises system.

Nick Mehta, CEO for LiveOffice, told me about one way the US federal government is trying to avoid just such a situation from occurring. Under the direction of federal CIO Vivek Kundra, TechAmerica Foundation has formed the Commission on the Leadership Opportunity in US Deployment of the Cloud (CLOUD²). The commission consists of thought leaders from business, government, and academia, with the intent to help shape US policy concerning the cloud. "The goal was to make American government policy friendly to cloud computing adoption," said Mehta, who's a member of the commission. "It's very possible for the government to come up with rules that actually make it hard to go to the cloud. But the government is actively thinking about how to make it easy to go to the cloud."

I'm probably as suspicious and untrusting of government in general as anyone—apart, maybe, from Agent Mulder—but I think this sounds like a good step. It remains to be seen what specific recommendations CLOUD² will come up with, and whether the administration will follow them. This group also doesn't directly address any group other than the federal government, although if the results are positive and meaningful, perhaps other government bodies might look into adopting them as well.

In addition, showing a commitment to cloud computing, Kundra (who recently announced that he'd be leaving his post as federal CIO in August) instituted a policy known as "cloud first" whereby government agencies are required to investigate the feasibility of cloud deployments of any new technology deployments and are also being asked, as part of a general cost-cutting measure, to move some current systems to cloud models if appropriate. "I think that the fact that they're doing that is going to be a pretty good leading indicator for the rest of the industry," Mehta said. "Because if the federal government can do it, I think a lot of regular businesses can do it as well."

Although problems related to data residency aren't going to disappear overnight, at least they're being addressed. These issues will only become greater as we create more data, which therefore requires more storage. As Tuip said, "It has become so socially unacceptable that digital data gets lost. We cry foul. But it's going to be inevitable. It's human nature. And yet we rely on technology that's not foolproof." Of course, losing data—and cloud systems' ability to preserve viable data over long periods of time, as also required by certain compliance regulations—moves into another discussion altogether, which perhaps I'll save for another time.

In the meantime, let me know what you think about data residency restrictions, cloud computing, and the possibilities of your organization moving messaging to the cloud.

Follow B. K. Winstead on Twitter at @bkwins
Follow Windows IT Pro on Twitter at @windowsitpro

Related Reading: