.gif&contenttype=gif "ManageEngine")
During several of my recent phone calls with managed service providers, an interesting — and controversial — debate popped up. Some industry insiders say more and more MSPs based in the U.S. are only willing to work with on-shore hosting providers.
I may earn some spam from readers, but I think the location of data is becoming less relevant rather than more relevant. Am I crazy?
Before you flame me, please consider these points:
- Whether data sits on a hard drive below your desk or somewhere on the other side of the world, it’s at risk.
- You can mitigate risk with aggressive contingency plans, backup and recovery strategies, and well-documented best practices (which, by the way, require regular practice).
- You can further mitigate risk by leveraging a data center provider complies with SAS 70 Type II service auditor reports and other types of controls.
Still, I hear that more and more MSPs promote the fact that they’re hosting data within U.S. borders. And Ingram Micro is quick to note that its Seismic services are all hosted in the U.S.
Is this a true customer benefit? Should MSPs worry about where their data is hosted? I’m all ears.
Posted In: Platforms
Tags: Managed Service Providers | Managed Services | MSP | off-shore data centers
Interact: Add a Comment | Trackback Link | Permalink
Share: digg | del.icio.us | Technorati | StumbleUpon
Subscribe: RSS Feed
Joe,
I am not convinced that there is any actual benefit to this. Although I do believe that Uncle Sam has the right to view any data that is transmitted across the boarder. I have not seen any of our US customers worry about this but I do know that in Canada they have a law that states no government organization can keep it’s data in the US. We have many resellers in Canada and if they deal with the government we have to address this issue with them.
The benefit is simple: The federal laws with respect to privacy (ie HIPPA) apply only if the data is inside the US.
I have heard of some in the medical industry, storing medical records in India. The problem is, HIPPA does not exist in India. In India, that is public/unrestricted information.
Other regulations like Sarbanes-Oxley or SEC, again, only apply in the US.
Confidentiality and privacy of data can only be guaranteed if the data is in the US.
Do HIPAA, Sarbanes-Oxley and other regulations really limit US businesses to US hosting? I’ve covered the regulations as they apply to IT in recent years, but I don’t recall any lines stating that the data can’t sit (securely) in foreign data centers.
Joe;
I think at the end of the day, barring compliance considerations, it becomes a question of how comfortable the client is with the question. If a US-based client is not comfortable with their data being hosted outside of US borders, then the point, along with the question, is moot.
Erick Simpson
MSP University
http://www.mspu.us
Joe: I’m not sure honestly. But US law cannot be enforced overseas. Once the data leaves the country, it’s no longer bound by US law. A US citizen does not have the right to bear arms while living in the UK. And medical data in India is not subject to HIPAA.
We do alot of work with Financial Services. It isn’t the offshore storage (heck some store in the US) as much as it is lack of audits on processes. We had to end relationships with certain platform providers because they couldn’t withstand the scrutiny of our customers’ auditors. I realize that most MSP’s don’t target banks, brokerages, medical practices, publicly traded companies, etc…, but we do. Even a new backup/recovery offering we are selling has the potential to work in regulated environments, but we cannot push it most places as the provider stated they aren’t planning on getting compliance audits, and that offsite data is here in the states. I guess I would like to see one of these cost effective platform providers get on the compliance bandwagon, we’d pay a premium for that, and we could charge a premium as well. The funny thing is, these guys generally have their act together, they just need to submit to the audit process and maintain a SAS70 type certification and keep the data onshore.