Managing Export-Controlled Data In The Cloud - InformationWeek
Cloud // Software as a Service
03:10 PM

Managing Export-Controlled Data In The Cloud

As IT pros evaluate cloud computing services, they must be aware of federal regulations that restrict where certain data gets stored, or potentially face serious penalties.

Companies evaluating cloud computing must consider the regulatory compliance implications of this new approach to computing. One area of concern is whether any of your company’s data is controlled under U.S. export control rules, including whether use of cloud services could lead to the disclosure of controlled technical data without the required export authorization.

It is important to consider export control implications of IT decisions early in the process because U.S. export control rules have a strict liability standard, meaning that a violation occurs whether the unauthorized disclosure was accidental, negligent, or intentional. Individuals, as well as companies, may be held responsible for export violations. The penalties for non-compliance are severe, ranging from $250,000 to $1,000,000 per violation. Individuals could face up to 20 years imprisonment.

The most popular cloud computing option is public cloud computing. A common example is Web-based e-mail like Google’s Gmail. In the public cloud scenario, the customer generally has no control or knowledge over the exact location of the provided resources. Usually the customer is presented with a standard service level agreement with limited or no ability to tailor the terms of use. Without the ability to tailor the service parameters to a company’s business, it is likely that public cloud solutions will not meet export compliance standards, if such needs exist.

Recently, some cloud service providers have been marketing their services as export control compliant. Knowing the basic U.S. export control rules governing technical data should help companies decide whether cloud computing services being offered to them meet their export compliance needs for all their systems and applications.

IT departments must determine whether export-controlled data may be contained on their systems and work with their legal department to formulate a plan for handling such data inside or outside of the cloud. For the purposes of this discussion, controlled technical data is data controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Typically, this information is in the form of blueprints, drawings, models, formulae, specifications, photographs, plans, instructions, or documentation regarding an export-controlled item or service.

U.S. companies are prohibited from exporting controlled technical data to certain foreign countries without an export license. For example, sending an e-mail with export-controlled technical data to a customer in India would be an export of the data to India and could require export authorization.

The rules also restrict the release of export-controlled technical data to certain foreign nationals, inside or outside the U.S., without an export authorization. (To do so would be considered an export to that person’s country of citizenship.) Companies are often surprised by this rule. For example, if an American engineer in the U.S. walks blue prints for the manufacture of an export-controlled item down the hall to his colleague who happens to be an Indian citizen, or e-mails them to him, this would be considered an export to India and could require export authorization.

Companies in the defense industry should also be aware that, under ITAR, merely giving foreign nationals access to defense technical data, whether or not the foreign national actually views it, is considered an export that requires authorization.

1 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll