Data locality is a compliance control, not a security control

How important to you is that your data storage and its computation are kept close together? Intuitively you might think that long, cross-border distances between computation and storage might cause security issues, but is this really the case?

Mark Anderson, National Security Officer at Microsoft Australia, joins PrivSec Report to discuss this topic and try to straighten out what he sees as a few misconceptions about data locality and security.

For Anderson, the idea that security is intrinsically tied to where the data resides is outdated.

“If you are talking about traditional IT and traditional outsourced IT, when lift and shift meant physically picking up servers and putting them somewhere else, it does make sense. But in the context of when you move to hyperscale cloud providers the architecture and protections in place are different, it actually means the location of the data is less important in terms of security.”

Mark Anderson, National Security Officer at Microsoft Australia

Anderson’s mantra is that “locality is not a security control, it’s a compliance control”.

By this he means it is the need to comply with local laws and regulations that can affect data locality needs, rather than security itself.

He says: “Let’s say you use SharePoint in Office 365, and you’ve got data in SharePoint in Sydney and you’ve got it in Singapore and you’ve got it in Sao Paolo. The technical security controls against that are globally identical, for example you are not more encrypted in one country than you are in another, the playing field is equal, as this is the only way you achive hyperscale could through standard patterns.”

So why are some people nervous about data moving across borders? Anderson believes there is sometimes an almost “nationalistic” mindset, with concerns that if data is supplied to a company chain with an American ownership for example, this means Americans can “fiddle with your data”. He says: “The idea that data must never leave our shores, and can only reside in an Australian data centre for reasons of security is a false sense of security.”

For Anderson then, when it comes to the Microsoft cloud, data locality concerns are much more about complying with regulations and laws.

Even then, he says, there is often confusion as people assume that ensuring privacy means making sure data never leaves their home jurisdiction.

“To give you an example, a few weeks ago I was on a call with a customer and they were insisting data can never leave Australia. While on that call we went on to their website to check their privacy policy and it said that they retain the right to move the data overseas in alignment with the Australian privacy principles,” says Anderson. He makes it clear that Chief Privacy Officers and specialist staff in data protection and privacy are aware of this but many others in other departments aren’t.

The key to helping dispel the myths around data locality concerns says Anderson, is to respectfully challenge the customer to point to a specific rule or regulation that would prevent the data being moved.

In most cases, with some exceptions, says Anderson, data can actually be moved cross-border “provided that the location that you’re placing the data in has controls that are equal to or greater than the strength that we are expecting here”.

While confusion may be behind criticism of companies movement of data cross-borders, Anderson is also keen to point out that Microsoft has a number of strong controls to ensure data protection is paramount.

“Ultimately in our contracts it explicitly says we don’t own your data, we are hosting it for you and proving you with online services that you’ve requested from us, but we don’t own your data, you own the data”, Anderson says, explaining further that this is not described as disclosure because Microsoft does not look at the data or touch it.

Anderson also says that when Microsoft implements a new control to meet higher standards of security and compliance, such as GDPR in Europe, everybody around the world inherits the same controls. This is partly to do with the fact that Microsoft operates at such a large scale that it is not practical to implement different standards in different operations depending on where they operate. But also, says Anderson it is about ensuring standards remain high regardless of locality. “It lifts everybody else up. Every time new laws and regulations and rules come in that mean we need to put some form of new control in, everybody gets it.”

This also means that customers globally benefit from all of the company’s controls, including ISO certification and other assurances.

The final piece of security Anderson outlines is the physical security of the data centres themselves. Anderson stresses that none of the data centre operators, who operate the physical assets, have access to the data itself. Furthermore, police or other bodies cannot compel somebody to go in and get the data.

Even if police or security services were to show up and try and seize the data, it wouldn’t work, says Anderson.

“It is impractical because even a small data centre will have thousands of servers and none of these servers are labelled with ‘customer a’, and ‘customer b’, he says.

So what next for Microsoft?

Anderson says that Microsoft will always be trying to increase privacy and security controls because not only is it the right thing to do for Microsoft’s customers. “Ultimately that is what our stock price is based on, our entire business is based on trust,” he says emphatically.

Read more:

• With support for 150+ standards/regulations/frameworks from across the globe, the Microsoft 365 Compliance Manager tool can help you simplify compliance and manage risk more effectively across your digital estate. To learn more, click here.
• Learn more about how Microsoft’s Information Protection solutions can help you assess, classify, protect and monitor your data across your digital estate through this trusted Information Protection whitepaper. Click here.