Handling export controls within a cloud-based infrastructure

World globe

If you're a manufacturing organisation with a healthy export business, you'll already be familiar with the fact that there are rules and regulations that govern where you can send the things you make.

It's not just products that are governed by export laws, though: data is equally relevant in today's export control regulations. The US government in particular has recently started to care more and more about the concept of controlled data being exported from the country – which matters if you're a cloud provider or user with data hosted in the US.

What types of data are controlled?

It's generally obvious which of your data might have some restriction on access. If you're in the defence or aerospace industry, for instance, the chances are that most of what you do is controlled – after all, the government won't want sensitive designs to be sent to countries that are deemed unfriendly. Be careful, though: data doesn't necessarily have to be blatantly sensitive to be controlled – for instance, encryption algorithms are considered sensitive and so you need to be cautious how you deal with them. On the other hand, of course, if data is in the public domain then there's no need to worry: so while a proprietary design might be controlled, as soon as it's patented it'll be in the public domain and is thus freely exportable.

There are ten categories in the US government's Commerce Control List. Many relate primarily to physical things (category 0 concerns nuclear materials, for instance) but categories 4 and 5 are more abstract – computers and telecoms/information security systems. Within the various categories are five product groups; again the most interesting (and abstract) are software and technology. Since the concept of “technology” encompasses ideas and designs, this means that when moving the contents of your computer systems around you need to concern yourself with both the software and the data it processes.

What constitutes an export?

Exports can be blatant or subtle, so we'll start with the obvious one. If you pick up a disk containing controlled data and take it out of the country, that's an obvious export. The same applies if you copy data from a server to your laptop or PDA and then take it out of the country – that's pretty obviously an export too.

But what if you're outside the country when you access the data? Say, for instance, your servers reside in the US and your system management team is in London, or Delhi, or Paris: if you connect remotely from one of these locations into your US-based servers and read sensitive information, you've just exported it, even though the original data hasn't moved an inch. Reading the data outside its country of origin is as much an export as picking up the storage array and putting it on a flight.

There's a third type of export, though, which doesn't require the data to be moved or viewed outside the country. Imagine you have data whose export to country X is prohibited, and your support team (or your service provider's support team) is based in the same location as the data but includes citizens of country X. If those individuals have access to your data, that's considered an "implied" export even though no aspect of the data has moved.

The final aspect to bear in mind is that for the purposes of export control, it's not enough simply to ensure that the data isn't exported: you also need to take reasonable measures to ensure that it can't be exported. The government won't be happy if your data isn't secured sensibly even if it's not actually been the subject of an export.

Who can access my systems?

We've already mentioned the concept of an implied export, which prohibits nationals of undesirable countries from viewing your data. And we've said that you may not even be able to view your own data from overseas for the purposes of managing your systems. It's not all bad news, though: just because you can't look at the data doesn't mean you can't touch the systems at all.

The guideline is fairly simple: if accessing a system in a particular way would make it relatively easy to see sensitive data, you need to be cautious about ensuring controls are in place. But if it would be relatively tricky to see the data, that's not a problem. Consider a couple of examples. Say your service provider runs backups for you, and that to do so they log into the server and kick off a process. If there's sensitive data on the disk, this would risk an implied export since the user would probably find it relatively easy to look at the data.

On the other hand, though, if your SAN engineers do their administration from a foreign country: even though they have full control over the SAN hardware and disk arrays, the chances are that it would be pretty tricky for them actually to read the data (particularly if it's been encrypted at OS level) and so this would generally be perfectly fine.

Likewise your network engineers – although they could theoretically run up a packet capture and grab all the data that flows over the wires, actually reading it would be pretty tricky and so this kind of work would usually be acceptable in the context of export control.

The US is presently leading the way with regard to caring about the control of data and software exports. We can expect the rest of the developed world to follow suit, though, and so when you're considering where to put your data, and where to manage it from, it makes a lot of sense to bear the potential issues in mind so you don't get bitten later.