A growing trend in information technology is obviously the use of cloud-based hosting. In many cases, the hosting of applications and data involves the use of large providers covering a number of geographies all over the world. The benefit to this is the ability to use infrastructure located in different geographies to host your cloud-based application. If an issue occurs in one geographic location that negatively impacts your application, the load can simply be moved either manually or automatically to a different geography. This can help to ensure that you’ve covered the foundational security tenet of availability.
Data, on the other hand, often has restrictions that preclude the ability to move it from location to location. Various regulatory and privacy requirements may force you to keep your data within a certain geographical boundary such as within one country or collection of countries. The cloud-based architecture described above still works as you can easily control which geographies your cloud-based applications and data reside within.
Or can you?
Let’s take a hypothetical situation to illustrate the challenge:
Company XYZ has an agreement in place to utilize the cloud hosting capabilities of Company ABC. Company XYZ’s data includes particular elements which cannot leave the United States due to regulatory requirements. Company XYZ uses Company ABC’s management console to select only US-based infrastructure in their cloud application deployment. The application is deployed to the cloud infrastructure and begins collecting, and appropriately restricting, the protected data.
Company XYZ identifies a problem with their application that indicates some sort of an infrastructure issue. They contact their cloud service provider for assistance in troubleshooting the issue. Company ABC receives the support request and begins working with Company XYZ to find the issue. This involves the Company ABC support technician accessing the cloud infrastructure to perform troubleshooting.
This scenario is very common and has been experienced by most consumers of cloud-based services. From the regulatory perspective, however, what if the support technician is not located in the United States? Company XYZ’s data is now theoretically available across geographical boundaries. Are they out of compliance? Did either company do anything wrong? Did the contractual agreement between them indicate any geographical boundary protection or did it indicate that data is the responsibility of the customer?
It’s important to play out various scenarios as you look at regulatory requirements and how they apply to your use of cloud infrastructure. The use of cloud-based hosting changes or eliminates the data boundary and can have an impact to your regulatory compliance.