Cloud Data Storage Localization: Key ConcernsStoring Cloud Data Domestically Could Substantially Increase Costs. Is It Worth It?
The draft of a data protection bill released by the Ministry of Electronics and IT calls for requiring that a copy of all Indians' data be stored domestically.
See Also: Why CASBs Matter to Cloud Security
Meanwhile, India's Cloud Policy Panel, which has prepared its own draft report on the issue of data storage, recommends that all data on Indians, and not just a copy, should be stored within the country, Reuters reports.
"But before India enacts a domestic data storage mandate, all the cost implications must be carefully considered. Legislators must study whether the benefits justify the hefty costs involved."
But before India enacts a domestic data storage mandate, all the cost implications must be carefully considered. Legislators must study whether the benefits justify the hefty costs involved.
Certainly, domestic storage of data would help organizations have better control over their data and take appropriate security measures.
Localization of cloud data and any data stored or generated in India will help investigative and national security agencies to tackle against its misuse. The domestic storage will also make breach investigations easier. Having data in India helps address data privacy issues, create indigenous infrastructure without dependency and prevent misuse of data leakage internationally. (See: India's data protection bill draft: Reactions)
But the mandate would require a hefty investment in new infrastructure to store cloud data. And technology giants, including Amazon, Salesforce, Google, Microsoft and other service providers, would face the big task of ramping up their data storage centers in India as a cost of doing business here.
The draft report of the cloud policy panel, headed by Infosys co-founder Kris Gopalakrishnan, said a "forward looking" data protection regime was needed as India's IT laws framework was "not sufficient" for cloud computing, Reuters reports. And the council's recommendations, due Sept. 15, ultimately could be incorporated into the final version of the data protection bill.
Clearly, any requirement to store and process data locally may impose a substantial economic burden on domestic enterprises that provide goods and services with the help of foreign infrastructure, such as cloud computing.
Large foreign companies may be willing and able to invest in new servers within the territory where they want to operate. But the costs of domestic storage could prove burdensome for small and medium-sized businesses, both foreign and domestic, that would rather rely on cheaper foreign cloud service providers.
Regulators Reserve Bank of India and Insurance Regulatory and Development Authority of India already require banks and insurers to store all data domestically. And last year, the Ministry of Electronics and Information Technology mandated all cloud service providers handling government data to store it on servers in India.
The MeitY guidelines require that cloud service providers' contracts clearly state that all services and data will be guaranteed to reside in India, with cloud vendors including the details of the location of the data they are processing, storing or hosting for the government.
Questions to Consider
Before India adopts some sort of broader domestic data storage mandate, Parliament must consider some key questions. Those include: What's the definition of critical personal data that must be domestically stored? How does the cloud service providers address high power costs and the need to get various permits-which raise the cost of running data centers? How will this change the way confidential PII data is processed and stored and how can it be secured?
As they shift to domestic storage, many organizations might enter into contracts with the lowest-cost cloud services provider, hence impacting the quality of design, solution and services. And that could potentially hurt data security.
"Data localization will increase costs for public cloud companies as they will expand data center capacity to fit customer data currently hosted outside India," Santanu Patro, a research director with Gartner in India, tells Reuters. And that cost could be passed on to customers.
As the Cloud Policy Panel considers whether to recommend development of a "national cloud strategy" that could bring cloud service providers under a single regulatory and policy framework, it must also ensure that it adequately addresses security issues.