Report: Importance of Data's Physical Location Diminishing

• By Joshua Bolkan
• 07/03/14

The physical location of data will become "increasingly irrelevant" over the next several years and will be replaced by other notions of location at most organizations by 2020, according to a new report, "The Snowden Effect: Data Location Matters," by market research firm Gartner.

Discussions of data residency and sovereignty have risen sharply in the last year, slowing down technology innovation, according to Carsten Casper, research vice president at Gartner. "Originally triggered by the dominance of U.S. providers on the Internet and the Patriot Act, the perceived conflict was then fueled by revelations of unexpected surveillance by the National Security Agency (NSA) made public by Edward Snowden," according to a news release.

"IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public," Casper said, in a prepared satement. "Business leaders must make the decision and accept the residual risk, balancing different types of risk: ongoing legal uncertainty, fines or public outrage, employee dissatisfaction or losing market share due to a lack of innovation, or overspending on redundant or outdated IT."

The Gartner report defines four types of data location:

• Physical location, which is traditionally equated with physical control and security of data. "Although everybody knows that locally stored data can be accessed remotely," according to a news release, "the desire for physical control still exists, especially among regulatory bodies. Gartner advises organizations not to dismiss concerns about physical location, and instead balance the discussion with other types of risk."
• Legal location is determined by the entity controlling the data, though it may be processed by an entity in another physical location. Many IT professionals are not familiar with the idea of legal location, according to Gartner. "Statements like 'it's illegal to store such data outside the country' are often interpretations of legal language that is far less clear," said Casper, in a prepared statement. "Each organization must decide whether they accept those interpretations."
• Politcal location of data includes "Considerations such as law enforcement access requests, use of inexpensive labor in other countries that puts local jobs at risk or questions of international political balance," which "are more important for public sector entities, nongovernmental organizations (NGOs), companies that serve millions of consumers or those whose reputation is already tainted," according to the company.
• Logical location is determined by access to data and who has it. "For example," according to Gartner, "a German company signs a contract with the Irish subsidiary of a U.S. cloud provider, fully aware that a backup of all data is physically stored in a data center in India. While the legal location of the provider would be Ireland, the political location would be the U.S. and the physical location would be India, logically, all data could still be in Germany." Such an arrangement would require all data to be encrypted with keys in Germany.

"None of the types of data location solves the data residency problem alone," Casper concluded. "The future will be hybrid — organizations will be using multiple locations with multiple service delivery models. IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO."

The full report is available at gartner.com.