[3 min read]
It is amazing to think about how much data we all create these days. With so many employees working remotely, and the rise in the number of cloud-based services such as Google Cloud and iCloud, a recent report estimates that data will grow from 64.2 zettabytes in 2020 to more than180 zettabytes by 2025. To put that in perspective, if all that data were stored on compact discs, the stack of CDs would reach beyond the moon, if the stack did not topple over. Data can be replicated in many places from our smartwatches to the apps on our phones, as I discussed in my blog post on data security and ownership. While consumers may not always know - or care - where data is physically stored, credible organizations must know the physical location of their data to effectively manage their security and risk management programs and for effective business continuity.
We have all experienced major data outages from cloud service providers, such as Amazon Web Services, extending across entire geographic regions for an extended period of time. While this is an extreme scenario, and most customers would understand an outage as a result of a major event, these incidents happen more regularly on a smaller scale. The physical infrastructure that supports the internet is complicated but it runs through a finite number of exchange points.
Global Internet Exchange Points (IXPs)
When we host our data in the cloud, or when we rely on third-party services that are hosted in the cloud, there may be a tendency to think that our services are immune to proximity-based outages. But as is shown in the Amazon Web Services example, geographic incidents can impact many services. It is critical for organizations to understand and make choices about the physical location of data and how it will be protected.
For example, in the US you may want to ensure that you have redundant services on both the East and West Coasts. This way, in the event of a major incident in either location, service can continue uninterrupted. By considering the location of data, you are protecting access to the data and ensuring its availability.
[Read more: Embracing a Data-Driven Approach to Risk Management is the Key to Success]
While not necessarily service-impacting, privacy regulations can also depend on the physical location of your data. For example, information hosted in the US is subject to laws such as the Patriot Act. The Patriot Act allows US government agencies the right to request access to an organization’s data that meet the requirements set out by the Act.
Similarly, data located in the European Union (EU) will be governed by numerous EU regulations like GDPR. GDPR is considered one of the toughest privacy laws and many companies have fallen foul of the GDPR regulations resulting in significant fines. GDPR fines reached a record in 2021 including the largest of over $847 million against Amazon.
CNET: GDPR Fines - the biggest sanctions handed out so far
When it comes to data privacy, the physical location of the data may not be the only factor governing the applicability of privacy regulations. The residency of the individual accessing the day may also play a part. For example, even if data is not physically located in California, a Californian accessing that information is still subject to the California Consumer Privacy Act (CCPA).
Likewise, individuals with no data assets in the EU are still subject to GDPR regulations. If an EU national is accessing your information from within the US as intended then you are technically subject to GDPR. It is therefore critical to understand the implications of where data is stored, the location from where it is accessed, and who is accessing it.
The good news is that there are tools to help CISOs and IT departments track and manage the location of data. The MyVCM platform enables constituents across an organization to track and manage all corporate data assets. By leveraging integrated risk management tools, such as MyVCM, CISOs have visibility into where data assets are located and what’s stored in the assets. They can also create policies and procedures around who should access the assets and data. The MyVCM platform allows CISCs and their teams to create vendor risk assessments to understand where their vendors are storing their data and what protections and rights are, or are not, in place to ensure resilience and compliance. The MyVCM platform helps companies map to over 125 standards and regulations, all included in the cost of the platform. Talk to an Ostendio expert to find out more about how using MyVCM could improve your data security program.