Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security Thought for Thursday: It Shouldn’t Matter Where Your Data Is

by Neil MacDonald  |  July 23, 2009  |  6 Comments

When data is encrypted, the location of the data doesn’t matter (including in the Cloud). The location and management of the decryption keys is what matters.

6 Comments »

Category: Next-generation Security Infrastructure     Tags: ,

6 responses so far ↓

  • 1 Mark McDonald   July 23, 2009 at 8:22 am

    Niel, the idea of the data hiding in plan site is a good one and necessary for the cloud to gain commercial traction. However, the legal environment and precident is based on the location of the data and where it passes through, not where the keys are stored.

    This is one of the legal reforms that will need to happen, but right now any data stored on a server or passing through a server in a particular country is subject to the laws of that country regardless of where the keys go.

    I may park my car at the airport, take the keys with me on the plane to europe, but someone can still steal my car — or perhaps more appropriately steal parts of my car without the keys.

  • 2 Allen Baranov   July 23, 2009 at 8:29 am

    Of course, “Availability” is still something we need to consider.

    Having said that – if your data is encrypted then you can put multiple copies all over.

  • 3 Neil MacDonald   July 23, 2009 at 10:02 am

    Mark, agree and disagree — Agree that the laws and regulations haven’t caught up with the technology. That’s why I said “shouldn’t” in the title…

    Disagree on the car analogy. The pieces of the car (and indeed the entire car) are still useful without the keys. Encrypted digital data is not.

  • 4 Neil MacDonald   July 23, 2009 at 10:13 am

    Allen, thanks – yes – something like Cloud RAID (striping) is essentially the foundation for Google’s availability.

    Check out this description of “veiled” – also encrypted and uses the Cloud to transparently make multiple copies

    http://www.eweek.com/c/a/Security/Researchers-to-Unveil-BrowserBased-Darknet-at-Black-Hat-581087/?kc=EWKNLSTE07232009STR1

  • 5 Jeffrey Mann   August 24, 2009 at 3:41 am

    It is not a question of needing legal reforms, the current legal situation is totally out of kilter with reality.

    When I post this comment, I can be sure that it passes at least through servers located in The Netherlands and the US. Most likely, it hits several other countries that I don’t know about. If I were to push the button 2 milliseconds later, it would pass through another set of countries. If I posted from a smartphone, a completely different set of actors and laws would apply. Determining where the data is stored and passes through is almost meaningless.

    I see two main reasons why Neil is right.

    1) You cannot rely on location to provide protection. There can be legal and business reasons to store data in a particular place, but do not believe that the legal jurisdiction provides protection for your data. In order to use it, the data most likely has to pass over other countries, and the legal protection provided by any jurisidiction is probably not as clear as you think it is. The only way to be sure your data is protected, is to protect it yourself.

    2) The benefits of the Cloud are going this way. Putting restrictions on how cloud instrastructures are operated necessarily reduces efficiency. We can debate about how large the effect is, but restricting options can only increase costs and reduce flexility.

  • 6 Encryption Will be a Key Foundation for Cloud Security   February 22, 2010 at 5:09 pm

    [...] Bad pun, but true. I originally talked about this in this post. [...]