Geographic restrictions sometimes influence an organization's use of colocation, cloud and other remote outsourcing...
Regulatory compliance and jurisdictional authority are serious concerns for businesses. Not only does compliance affect data retention, security, privacy and legal discovery, but it also imposes geographic restrictions on computing and data storage.
Location, location, location
Cloud services and other outsourcing providers are subject to the various laws and practices of their global footprint, which might not offer an IT organization the legal protection for data that it requires to conduct business.
Government agencies, health industries and financial institutions are the most sensitive to this issue -- a bank or municipality should not host workloads or store business records in a jurisdiction with lax or poorly enforced intellectual and business property rights laws.
"The U.S. has financial compliance regulations that require some businesses to know exactly where their data is stored," explained Scott Gorcester, CEO of VirtualQube, a hosted services provider in Woodinville, Wash. Likewise, U.S.-based data centers cannot hold Canadian financial data.
Disadvantages of outsourcing to commodity service providers like Amazon Web Services (AWS) include losing control: The organization's IT team cannot choose which data centers host its workloads or data stores.
Regulatory guidelines are often nebulous and poorly worded. U.S. guidelines generally don't prohibit specific jurisdictions; in some cases, regulations emphasize securing and accessing the data and pay less attention to its precise geographic location.
Consider one of the most well-known regulations for IT: the Health Insurance Portability and Accountability Act (HIPAA). "The assumption is that private medical data isn't leaving the United States, but the wording on security seems pretty vague," said Pete Sclafani, chief information officer at 6connect Inc., a software-defined network software provider based in San Francisco. "[The HIPAA regulation] focuses more on data being secure in its various stages of access or transmission, and that access rights are appropriate for the work being performed."
With due diligence, regulated organizations can operate in the cloud as securely as within a traditional local data center, said one director of infrastructure with a major financial company. He cites internal threats and connectivity providers' weaknesses as the larger security issues with cloud computing.
Take your word for it?
Companies that outsource IT workloads and data should always seek guidance from corporate compliance officers and legal counsel to evaluate specific requirements and guide development of service-level agreements (SLAs) and monitoring and tracking regimes.
Policy requirements sometimes force companies that outsource while under geographic limitations to certify the physical location of data. Only a few recognized tools are designed specifically for this purpose, such as NetBrain Enterprise Suite from NetBrain Technologies Inc., but outsourcing adopters still have several options.
Outsourcing is mostly trust-based, which is a challenge, Sclafani said. "If you get an AWS instance out of Dallas, you expect it to stay there unless you have a policy in place that says differently."
Make willingness to ensure geographic containment part of your requests for proposals from outsourcing providers, like colocation facilities or cloud hosting platforms. Review any formal contractual agreement or SLA terms where the outsourcing provider agrees to restrict computing activity based on geographic limitations, and impose corrective actions for violations. The outsourcing agreement often holds the provider, not the client, responsible for penalties incurred by putting data into a prohibited location.
For additional verification, experts recommend simple network traceroute utilities. These reveal the number of hops -- and ultimate endpoint -- for traffic exchanged with the outsourcing provider's IP address, for both IPv4 and IPv6 addressing. Unexpected changes in the number of hops and destination addresses might flag an issue for further investigation and SLA adherence.
"Once within a data center, the vendor could route [data] to another location; but why would they?" asked the director of a financial company. "You should be able to rely on network routing to a data center to identify where the data is going."
One of the easiest ways to monitor remote computing providers is to use tools that are already in place or to add third-party tools that can map networks and produce alerts. For example, 6connect Inc. established a protocol with three elements that uses at least two monitoring points. The product enables IPv4 and IPv6 services monitoring and traceroute report generation for every combination of service and IP address; it then tracks traceroute changes over time to determine if crucial network hops change.
The key to monitoring is identifying important hops. "Confirm which hops are crucial depending on how your provider names their routing infrastructure," Sclafani said. Then, the organization can isolate the hops that matter and monitor how they change over time. "This may also be helpful for SLA tracking, depending on what tools your vendor has in place," he said.
Given the complex nature of data regulations and legal jurisdiction issues, SLA terms and network monitoring may not be enough to ensure corporate compliance in every circumstance. Regardless of the SLA and monitoring scheme, add strong encryption for any data -- particularly sensitive or personally identifiable data -- that is stored in off-site locations.