Search |
News/Blog |
Managing Compliance Risk Related to Location in the Cloud
From the 1960s to the 1980s, a public service announcement ran on American television, asking parents the disquieting question: "Do you know where your children are?" Boards of multinational organisations concerned about international compliance should be asking themselves a similar question regarding the whereabouts of their business critical data and applications stored in the Cloud. Those precious items tucked up on a server in London tonight could be somewhere else tomorrow, and in yet another location next month. The point here is not about safety. Arguably, as current events have graphically demonstrated, there are precious few safe havens in the world today. Rather, the issue is about location.
As a board member, you know the countries in which you operate, but do you know the countries in which all of your applications and data are stored? Location is critical for assessing an organisation's international compliance obligations and their attendant risks, since physical storage will remain the norm until international legislatures catch up with the implications of the cloud and develop new laws that govern its many aspects. As the Open Web Application Security Project (OWASP) has noted, "A cloud provider may physically store a consumer's data in various countries. Such architecture poses several risks. For example, a country has its own legal system, and the cloud provider operating in that country is bound to that system. The laws of a country may force a cloud provider to permit legal officials to access the data, and any encryption keys, stored in that country's geographical boundary." (http://www.owasp.org/index.php/Cloud-10_Accountability_and_Data_Ownership)
The Cloud Security Alliance has also offered useful guidance regarding the location of what they call "information system elements" (data, objects, applications, infrastructure, and hardware) in relation to compliance. In their Cloud Controls Matrix, for example, they recommend assigning "a legislative domain and jurisdiction to facilitate proper compliance mapping" for each of the aforementioned elements. (Please see: https://cloudsecurityalliance.org/cm.html.)
We recommend making this mapping a part of your Manage Compliance Process Matrix, which we have written about previously here. (Please see: http://inforiskawareness.co.uk/the_benefits_of_a_manage_compliance_process_matrix/.) I say a part because, for most large organisations, the cloud will form only one component of its overall IT environment. Therefore, in our sample matrix, "Define the Compliance Management Environment" would incorporate the Cloud and lead logically to - "Define and Communicate the Compliance Strategy". This, in turn, would lead to a comprehensive analysis of, among other important strategies, the Cloud locations that were permissible.
Because this issue can potentially have such serious international compliance consequences, boards of large organisations would be prudent to make someone both responsible and accountable internally for knowing the precise physical location of the organisation's data and applications, and for ensuring that this information was thoroughly covered in their Service Level Agreements (SLAs).