Gartner Blog Network

Security Thought for Thursday: It Shouldn’t Matter Where Your Data Is

by Neil MacDonald  |  July 23, 2009  |  6 Comments

When data is encrypted, the location of the data doesn’t matter (including in the Cloud). The location and management of the decryption keys is what matters.

Category: next-generation-security-infrastructure  

Tags: cloud-security  information-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Security Thought for Thursday: It Shouldn’t Matter Where Your Data Is

  1. Mark McDonald says:

    Niel, the idea of the data hiding in plan site is a good one and necessary for the cloud to gain commercial traction. However, the legal environment and precident is based on the location of the data and where it passes through, not where the keys are stored.

    This is one of the legal reforms that will need to happen, but right now any data stored on a server or passing through a server in a particular country is subject to the laws of that country regardless of where the keys go.

    I may park my car at the airport, take the keys with me on the plane to europe, but someone can still steal my car — or perhaps more appropriately steal parts of my car without the keys.

  2. Of course, “Availability” is still something we need to consider.

    Having said that – if your data is encrypted then you can put multiple copies all over.

  3. Neil MacDonald says:

    Mark, agree and disagree — Agree that the laws and regulations haven’t caught up with the technology. That’s why I said “shouldn’t” in the title…

    Disagree on the car analogy. The pieces of the car (and indeed the entire car) are still useful without the keys. Encrypted digital data is not.

  4. Neil MacDonald says:

    Allen, thanks – yes – something like Cloud RAID (striping) is essentially the foundation for Google’s availability.

    Check out this description of “veiled” – also encrypted and uses the Cloud to transparently make multiple copies

  5. Jeffrey Mann says:

    It is not a question of needing legal reforms, the current legal situation is totally out of kilter with reality.

    When I post this comment, I can be sure that it passes at least through servers located in The Netherlands and the US. Most likely, it hits several other countries that I don’t know about. If I were to push the button 2 milliseconds later, it would pass through another set of countries. If I posted from a smartphone, a completely different set of actors and laws would apply. Determining where the data is stored and passes through is almost meaningless.

    I see two main reasons why Neil is right.

    1) You cannot rely on location to provide protection. There can be legal and business reasons to store data in a particular place, but do not believe that the legal jurisdiction provides protection for your data. In order to use it, the data most likely has to pass over other countries, and the legal protection provided by any jurisidiction is probably not as clear as you think it is. The only way to be sure your data is protected, is to protect it yourself.

    2) The benefits of the Cloud are going this way. Putting restrictions on how cloud instrastructures are operated necessarily reduces efficiency. We can debate about how large the effect is, but restricting options can only increase costs and reduce flexility.

  6. […] Bad pun, but true. I originally talked about this in this post. […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.