The physical location of corporate data will become irrelevant by 2020, replaced by a combination of other criteria, according to a Gartner report.
Gartner said the location of where companies store data will become “increasingly irrelevant” in the post-Prism era, and will be determined by a combination of legal, political and logical considerations.
According to the analyst firm, the number of data residency and sovereignty discussions has soared in the past 12 months, stalling technology innovation in many organisations. These discussions were fueled by revelations of NSA surveillance, it said.
“IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management and the public,” said Gartner research vice-president Carsten Casper.
Physical control and proximity
But the research firm acknowledged that, currently, the physical location of data is still important to enterprises.
Historically, people equated physical proximity with physical control over data and security. Although locally stored data can be accessed remotely, the desire for physical control still exists, especially among regulatory bodies, said Casper.
He warned businesses not to dismiss concerns about physical location, but instead balance the discussion with other types of risk – including legal, logical and political issues.
Business leaders must make risk-based decisions while choosing cloud and datacentre services, by taking into account the physical location, legal location, political location and logical location of data, the analyst firm advised.
Many IT professionals are not aware of the concept of legal location. The legal location is determined by the organisation that controls the data. “There could be another legal entity that processes the data on behalf of the first entity, such as an IT service provider; and a third legal entity that supports the second one – possibly a datacentre in India,” Casper said.
Explaining political location, Casper said considerations such as law enforcement access requests, the use of inexpensive labour in other countries that puts local jobs at risk or questions of international political balance are important for public-sector entities.
Logical location as front runner
Finally, Casper added that “logical location” is emerging as the most likely criterion for international data processing arrangements, determined by who has access to the data.
For example, a German company signs a contract with the Irish subsidiary of a US cloud provider, fully aware that a backup of all data is physically stored in a datacentre in India. While the legal location of the provider would be Ireland, the political location would be the US and the physical location would be India, logically, all data could still be in Germany, he explained.
“For that to happen, all data in transit and all data at rest (in India) would have to be encrypted, with keys residing in Germany. With such an architecture there is an increase in cost and complexity and a reduction of usability through functions like preview and search, mobility and latency,” Casper said.
“None of the types of data location solves the data residency problem alone.” The future will be hybrid where enterprises use multiple locations with multiple service delivery models, he predicted.
“IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO.”