Cloud // Software as a Service
03:10 PM
The Analytics Job and Salary Outlook for 2016
Jan 28, 2016
With data science and big data top-of-mind for all types of organizations, hiring analytics profes ...Read More>>

Managing Export-Controlled Data In The Cloud

As IT pros evaluate cloud computing services, they must be aware of federal regulations that restrict where certain data gets stored, or potentially face serious penalties.

In the public cloud scenario, the customer generally has no control over or knowledge of the exact location of its data, and in fact, there could be multiple copies of its data in multiple locations. Providing export-controlled data to a data center located outside the U.S. could be considered an export to the data center location, which could require export authorization.

Additionally, once the company hands over its data to the service provider, the customer has limited control over who has access to the data. From a security perspective, that is no doubt of great concern. In addition to requiring strong security controls, companies with export-controlled data must implement measures to prohibit foreign nationals from having access to their export-controlled data.

Companies wary of turning over their data to public clouds have been considering private cloud models, in which the cloud service provider constructs a cloud solely for one organization, or hybrid clouds, which enable data and application portability between a private cloud and a public cloud (so more sensitive data can be kept in the private environment).

Any scenario in which a third-party service provider has access to your company’s export-controlled data introduces risk of improper disclosure to that third party for which your company could be liable.

To minimize the risk of improper disclosure of your export-controlled data, following are some key questions to ask the cloud provider:

How is the cloud service set up to comply with U.S. export controls?

Where in the world will your data be stored?

How is sensitive data segregated and controlled?

Would any foreign nationals have access to your data?

Does an auditable trail exist?

It's important for IT departments to have answers to these questions as they evaluate cloud services.

Marsha McIntyre is an attorney at Hughes Hubbard & Reed LLP who focuses on export controls and sanctions. Prior to joining Hughes Hubbard & Reed, McIntyre worked at the U.S. Department of State, Office of the Legal Adviser, providing guidance on international trade issues.

2 of 2
Comment  | 
Print  | 
More Insights
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.