As with many multi-national companies, Microsoft maintains corporate subsidiaries worldwide, often to optimize its operations under various legal regimes. While the justification for this is usually tax related, increasingly, compliance with local data security and privacy regulations are a driving factor. In light of the Snowden revelations about the NSA, other countries are closely scrutinizing the activities of American companies within their borders. Germany, for instance ousted Verizon in favor of local Deutsche Telekom, citing Verizon’s cooperation with the U.S. government as a determining factor.
As a large international U.S.-based firm, Microsoft too is feeling the heat and competition from localized firms. It has now launched a public campaign to show its sensitivity toward foreign concerns. Recently, when the U.S. government attempted to serve Microsoft with a warrant for emails held in Ireland by a non-U.S. citizen, Microsoft responded by arguing that the U.S. warrant was invalid vis-à-vis information stored in another country. The case remains pending as Microsoft appeals the initial court order.
As a recent Gartner report describes, by 2020, legal, political and logical locations will replace physical location as the important factors in determining where data resides. Gartner defines those terms as follows:
- Physical location is the jurisdiction in which the servers reside that house the data.
- Legal location is the jurisdiction in which the controller of the data resides. As the U.S. argues in the Microsoft case, though the data physically resides in Ireland, the legal location is the U.S. because of Microsoft’s corporate residency.
- Political location is a notion of data located somewhere insensitive to the data subject’s political sensibilities. Examples include locating the website of an anti-outsourcing group in India or storing Chinese political dissident diaries in Shanghai. Such concerns may only be relevant in a minority of contexts.
- Logical location is the jurisdiction from which access to the data is available. While it may overlap or be synonymous with the others, it is not necessarily the case. Without being careful, it could be that data is accessible by anyone, anywhere.
The underlying reason that Gartner suggests the shift in importance away from physical location has as much to do with the shifting technology as with the legal frameworks. The rise of cloud computing came about as a desire by firms to outsource certain non-core business functions. By focusing on core business, the other functions can be relegated to those with stronger skills, expertise and specialized equipment. Outsourcing is the natural continuation of capitalism’s division of labor and specialization of firms.
Cloud computing by definition obscures the inner operations of the service provider, leaving it up to its “expertise” in the area to deliver the service at an appropriate level. In goes a company’s inputs, the magic black box of the cloud performs its operations, and out comes the output. Ignorance of what happens in the sausage factory of the cloud is purposeful as companies don’t want to waste resources on non-core functions, they just want the black box to perform its magic.
So why can’t firms turn a similar blind eye to privacy and security of the black box that is the cloud service provider? After all, aren’t those cloud or file storage and sharing providers in a much better position to provide security around their own technology? Yes, outsourcing security does provide benefits from the provider’s economies of scale, but there is a caveat. Only the company whose data resides in the cloud can fully appreciate the risks to that data. Those risks may be from misuse, inadvertent leaks, hacks and theft, espionage, legal demands or branding and reputational injury. It is important to work with your provider to develop an appropriate risk profile and compensating controls for those risks that exceed your tolerance for the type of data you are storing.
Next time on this blog, I’ll be discussing how keeping “keys” in-house can create a win-win solution for data security in cloud environments.
To learn more about data privacy, check out the free report, “Where should I house my data?” today.