If your data is in the cloud, do you know where it really is?
When enterprises use a public cloud Infrastructure-as-a-Service (IaaS) provider to store their data offsite, they're basically sending the data off into a service provider's data center. But just where is that data center?
Many IaaS providers are hush about the location of their data centers, and some for good reason related to security. But in some cases customers want to know where their data is being stored to ensure low latency connections to it, or in some cases for compliance reasons. So can customers know where their data is?
THE RANKINGS: 10 Most powerful IaaS companies
MORE POWER: 'High performance' emerges in cloud offerings
It's a concern that Michael Dickson, director of business and technology group at GBQ, an IT consultancy, says he hears all the time. "Customers are always asking that question, and I think it's a valid one," he says. "But I don't think it should be a negative that a provider spreads customer data around to various hosting sites." The best service providers, he says, have a network of data centers that work in tandem to provide high availability and security of customer data. Sometimes that means data will be moved around the country based on disasters, service levels, demand of resources and cost, among other factors.
For those who do want to know where the data lives, most of the major IaaS providers outline in a service-level agreement (SLA) or on the providers' website where the data will be stored and in some cases, customers even have a choice.
"Most of the largest providers have data center operations fairly well dispersed globally," says Michael Crandell of RightScale, which helps businesses migrate data to various cloud providers. "For the most part, it's pretty explicit where the data is."
At least to a point.
For example, Amazon Web Services' Simple Storage Services (S3) offering allows customers to choose one of seven locations around the globe for their data storage needs and where the customer chooses impacts the price. A standard AWS storage option costs 12 cents per GB up to the first TB of data. If a customer chooses to store the data in California, the price jumps to 14 cents per GB, and if it's stored in South America, it rises to 17 cents per GB. While AWS says that it doesn't disclose the exact location of its data centers, it does provide a map showing generally where they are.
Other providers seem to have similar strategies. Terremark, a Verizon company, has a network of six data centers that power the company's cloud offering, with plans to add four more. Customers can choose to have their data stored in Miami; Culpepper, Va.; Beltsville, Md.; Hong Kong; Sao Palo, Brazil or Amsterdam, a company official wrote in an e-mail.
So does it matter where the data is stored? Crandell says, generally speaking, to reduce latency customers want their data to be close to where it will be accessed by end users. The farther away the data is, the slower the speed of response. Online retailers, financial institutions and gaming companies can be particularly sensitive to latency concerns, he says. "If there's even a half second delay in a game or on an ecommerce site, that can be enough for people to click away to another site," he says.
Other times, customers may specifically want data in different locations for disaster recovery and business continuity reasons. Building in multiple layers of redundancy and data replications can guarantee that if there is an outage in one area, that the data is backed up somewhere else.
Tata Communications, the Indian global telecommunications company, has taken advantage of this. John Landau, senior vice president in the technology and service evolution business, says Tata has been offering an IaaS service with facilities in India and Singapore since 2010. They hope to soon expand into the U.S. and Europe. But as of now, their offerings appear to U.S. companies that have customers, R&D teams or other operations in those countries. "It's the conundrum of the cloud: Even though it's a potentially global infrastructure, customers still want local capabilities," he says.
For some customers, there can be regulatory requirements to keep data within domestic borders. Crandell and Landau say this is mostly applicable in European countries that require data stay in Europe. There is some fear, they say, that data in the U.S. could be subject to inspection from the USA Patriot Act.
Most of the common U.S. compliance standards, such as those from the Payment Card Industry, or to become HIPAA compliant for medical information, do not require information to be stored domestically, Dickson says. Instead, more on what controls are in place to protect the data and assurances that those protections are in place. If a provider with international operations can certify that their sites outside of the U.S. have those rigorous protections, then Dickson says it shouldn't really matter where the data is stored.
"As a security guy, I'm less concerned about where the data is and more concerned about the security controls around that data," he says. "If you want to know where your data is, don't move it keep it where it's at."