Location Location Location

Data Dilemma: Location, Location, Location (& Location)

Location Location LocationWhile still important today, by 2020 the physical location of data will be largely irrelevant, according to a new report from Gartner. That may not be as big a concern as it might appear because another recent study finds that not knowing the location of sensitive or private data is the foremost concern of today’s IT security practitioners, topping hacker attacks, malicious employees, and concerns around compliance. Based on an Informatica-sponsored Ponemon Institute global survey of more than 1,500 IT and IT security professionals, The State of Data Centric Security reported that only 16% know where all their sensitive structured data resides, and a minuscule 7% know the location of all sensitive unstructured data, including data in emails and documents.

“The findings indicate that sensitive and confidential data continues to proliferate beyond traditional IT perimeters,” said Dr. Larry Ponemon, Ponemon chairman and founder. “The majority of respondents agree that not knowing the location of data poses a serious security threat.”

Gartner believes that in the not-so-distant future the physical location of data will be replaced by a combination of legal, political, and logical locations in most organizations. “None of the types of data location solves the data residency problem alone,” said Gartner research VP Carsten Casper.

“The future will be hybrid — organizations will be using multiple locations with multiple service delivery models. IT leaders can structure the discussion with various stakeholders, but eventually, it’s the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO.”

Caspar said the number of data residency and data sovereignty discussions has soared in the past 12 months, stalling technology innovation in many organizations. “IT leaders find themselves entangled in data residency discussions on different levels and with various stakeholders such as legal advisors, customers, regulatory authorities, employee representatives, business management, and the public,” he said.

“Business leaders must make the decision and accept the residual risk, balancing different types of risk: ongoing legal uncertainty, fines or public outrage, employee dissatisfaction or losing market share due to a lack of innovation, or overspending on redundant or outdated IT.”

So at a time when the significance of data is escalating, while data volumes are growing in the range of 50% per year, and as backups and replication are adding to the data avalanche, organizations must also determine where and how to store their corporate jewels. And they must do all of that with limited budgets and resources. Hmmmmm.

Location, Location, Location (& Location)

1) Physical Location: Historically, people equated physical proximity with physical control over data and security. Although everybody knows that locally stored data can be accessed remotely, the desire for physical control still exists, especially among regulatory bodies.

2) Legal Location: Although many IT professionals are not aware of the concept of legal location, it is determined by the legal entity that controls the data (the organization). There could be another legal entity that processes the data on behalf of the first entity (such as an IT service provider) and a third legal entity that supports the second one in that endeavor (possibly a captive data center in India).

3) Political Location: Considerations such as law enforcement access requests, use of inexpensive labor in other countries that puts local jobs at risk or questions of international political balance are more important for public sector entities, nongovernmental organizations (NGOs), companies that serve millions of consumers or those whose reputation is already tainted.

4) Logical Location: This is emerging as the most likely solution for international data processing arrangements and is determined by who has access to the data.

Image credit: WikiMedia Commons / CC-BY-SA