Azure, Amazon Web Services, Go Daddy, HostDime.com…organizations around the globe select these services to host data for their businesses without actually having to go through the effort and expense of building and maintaining their own data center.
But…when you purchase a hosting contract, and proceed to utilize said service, do you know where your data actually is? Some of these services have data centers around the world. Most of the time you are given an ip address and a series of credentials to log in and install your applications and host your data. But where does that server exist? What are the laws surrounding the data centers where the servers exist. For example: European Union laws indicate that once the application or data is hosted on a server in a member state, it becomes subject to EU data laws.
The result is that what may be legal in the United States or else where outside of the EU may run afoul of the law without the data owner even realizing it and the owner cannot even transfer the data back out of the union without getting the permission of every “data subject.” Think about that in the context of credit card systems or other massive numbers of personal bits of information. For companies subjected to government regulations or industry requirements these are considerations that must be taken into account from both a legal standpoint and from an audit standpoint. When the auditors come poking around and asking where your data is, your answer will often set the context for the rest of your audit.
Now lets turn this little exercise on its head…what if you are the service hosting applications and data for your customers…do you know where the data came from? Several hosting companies found themselves out of compliance with a recent presidential executive order making it illegal for US companies to provide any sort of “technological support” to the governments of Syria and Iran.
The aforementioned HostDime.com found themselves hosting several websites of the Syrian government. Several other hosting companies also found themselves on the wrong side of the law. As each company was notified of their violations, the illegal websites and or the hosting servers were pulled or shut down but the legal and reputation costs for the hosting services may have been high. These examples illustrate the difficulties of hosting data or having your data hosted.
The conundrum is astounding…on one side you are always responsible for your data but now you may also be responsible for someone else’s data. You can bet that legal departments every where are sitting down looking at their hosting contracts to determine their exposure to these sorts of paradoxical liabilities.
At the same time your IT Security Ninja is getting the call from the CISO protecting the business asking…where did that data come from? Are we still in compliance with our laws? Someone else’s laws? It’s 11pm…do you know where our data is?