A new report from research specialist Gartner says that the physical location of data is becoming increasingly irrelevant and that by 2020 a combination of legal, political and logical location will be more important.
Gartner research vice president Carsten Casper says that the number of data residency and data sovereignty discussions has soared in the past 12 months, and that this has stalled technology innovation in many organisations. Originally triggered by the dominance of US providers on the Internet and the Patriot Act, the perceived conflict has since been fueled by revelations of surveillance by the NSA made public by Edward Snowden.
"IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public," says Casper.
Gartner identifies four data locations for the new era. Physical location has in the past been associated with control but, now that data can be easily accessed remotely, Gartner advises that concerns about physical location should be balanced against other risks.
Legal location is determined by who controls the data, though there could be other organisations, such as service providers, that process and store it. Political location takes into account factors such as law enforcement access requests, cheap labour and international political balance. Gartner argues that these are only really important to public sector bodies or companies whose reputation is already damaged. Casper says, "Unless you fall into one of these categories, you can discount media reports on data residency concerns. While public outrage is still high about data storage abroad, there is little evidence that consumers really change their buying behavior".
Finally comes logical location which is determined by who has access to the data. All this can lead to quite complex situations where data can be in four places at once. As Gartner points out, what happens if a German company signs a contract with the Irish subsidiary of a US cloud provider that has its information physically stored in a data centre in India? While the legal location of the provider would be Ireland, the political location would be the US and the physical location would be India but, logically, all data could still be in Germany. Confused? Thought so.
"None of the types of data location solves the data residency problem alone," says Casper. "The future will be hybrid -- organisations will be using multiple locations with multiple service delivery models. IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO".
You can read more in the report The Snowden Effect: Data Location Matters available on the Gartner website. The issue will be discussed further at a series of Security and Risk Management Summits, held in Sydney, London and Dubai in August and September.