Cloud // Software as a Service
03:10 PM
Connect Directly
Repost This

Managing Export-Controlled Data In The Cloud

As IT pros evaluate cloud computing services, they must be aware of federal regulations that restrict where certain data gets stored, or potentially face serious penalties.

In the public cloud scenario, the customer generally has no control over or knowledge of the exact location of its data, and in fact, there could be multiple copies of its data in multiple locations. Providing export-controlled data to a data center located outside the U.S. could be considered an export to the data center location, which could require export authorization.

Additionally, once the company hands over its data to the service provider, the customer has limited control over who has access to the data. From a security perspective, that is no doubt of great concern. In addition to requiring strong security controls, companies with export-controlled data must implement measures to prohibit foreign nationals from having access to their export-controlled data.

Companies wary of turning over their data to public clouds have been considering private cloud models, in which the cloud service provider constructs a cloud solely for one organization, or hybrid clouds, which enable data and application portability between a private cloud and a public cloud (so more sensitive data can be kept in the private environment).

Any scenario in which a third-party service provider has access to your company’s export-controlled data introduces risk of improper disclosure to that third party for which your company could be liable.

To minimize the risk of improper disclosure of your export-controlled data, following are some key questions to ask the cloud provider:

How is the cloud service set up to comply with U.S. export controls?

Where in the world will your data be stored?

How is sensitive data segregated and controlled?

Would any foreign nationals have access to your data?

Does an auditable trail exist?

It's important for IT departments to have answers to these questions as they evaluate cloud services.

Marsha McIntyre is an attorney at Hughes Hubbard & Reed LLP who focuses on export controls and sanctions. Prior to joining Hughes Hubbard & Reed, McIntyre worked at the U.S. Department of State, Office of the Legal Adviser, providing guidance on international trade issues.

2 of 2
Comment  | 
Print  | 
More Insights
The next wave in APM
The next wave in APM
Find out how to get the benefits of application monitoring while avoiding the complexity and performance headaches.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.