God Save the Queen Your Data
“Data is King.” “Data is the new oil.” “Data is the currency of the future.” Data is this, data is that. The world certainly has evolved into a land governed by data and the control of it, and every day there is a new cliché published somewhere likening it to something we can relate to, attempting to enlighten us on a fact that everyone already knows – we are a data-driven society. With ExtremeCloud IQ, the only concept you need to know is that your data is sovereign.
Cloud technologies have helped drive the data-dependent revolution. VPN’s are a thing of the past, and access to data is now possible from every type of device, whether desktop PC, a watch, or the very automobile you drive.
The flexibility of cloud-hosting data comes with increased risks associated with data control – not only your control, but loss of it, and the control of others who have access to your data due to the cloud relationship.
With ExtremeCloud IQ we spell out our data controls very clearly. Within data protection and privacy circles, particularly those that concern themselves with GDPR (the European General Data Protection Regulations), you often hear about concepts such as “controller” and “processor” in terms of the roles customers and cloud providers play in data privacy.
What are these roles? Within GDPR Article 4.7, a controller is defined as “… the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data… .“ Accordingly, a processor is defined in the same section as “… a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
In simple terms, a controller is someone who owns data, and a processor is someone who does things with the data on behalf of the controller and only performs those operations that are mutually agreed upon. For instance, you may own your car (a controller), and you may authorize your mechanic to change your oil (a processor), but just because the mechanic is in possession of your car for an hour doesn’t mean he can take it to the dragstrip for a quick run. The same concepts apply to data processing rules.
Extreme is a controller for certain administrative information you provide us. We may obtain your email address, name, and contact information through our normal course of business. We’ll then store that in a CRM like salesforce.com so that we can contact you and record transaction information. Salesforce.com is a processor of Extreme’s data, and they can only store it for us in their software.
However, in the case of ExtremeCloud IQ, the customer is the controller of all of the network data that goes into the cloud, and we are the processor. Every bit, byte, IP address, and statistic that is generated from your switches, routers, and access points are your data and controlled by you. ExtremeCloud IQ on the other hand is the processor, creating useful information with the data you provided, and we are only allowed to do with that data what is defined in our processing agreements and terms of service.
With all cloud solutions, as the customer entrusting your data to a processor, you must be certain of the rights of both yourself and the processor. For instance:
Not all clouds are built the same. The processor you entrust your data to may do all of the processing in a different country, thus, replicating and storing all or portions of your data in another country. This is where data sovereignty comes into play.
Knowing where your data is stored is a vitally important part of cloud data storage and processing and is key to the concept of data sovereignty. Data sovereignty is a concept designed to ensure that your data is kept in a country or a geo-political boundary governed by similar laws and rules and not outside of your legal control. For instance, a customer in Germany needs to know if their data is stored in the United States, and would prefer it be stored in Germany, or another country with similar legal protections of data.
The architecture of ExtremeCloud IQ lends itself to data sovereignty without much effort. We keep your data where you want it.
As mentioned in previous blog posts, ExtremeCloud IQ leverages two different kinds of data centers. We have Global Data Centers (GDC) which handle device redirection, authentication, and licensing, and we also have Regional Data Centers (RDC) which is where your logical instance resides, and your data is stored.
GDCs exist in the US and the EU. To protect the personal data that consists of your primary account email and other basic demographic data, all EU and other accounts are stored via the European (Ireland) GDC. When you log into ExtremeCloud IQ from Europe, using geographic load balancing, access to your virtual instance (VIQ) is granted from a system within the EU. In the US the reverse occurs, and US accounts are authenticated using systems in Virginia.
The RDCs are placed in various regions for speed of access and data regionalization. A customer in Germany will be placed on the RDC in Frankfurt and will authenticate via the Ireland data center, keeping all data within the jurisdiction of the EEA (European Economic Area) and/or Germany itself.
Why is this important? By isolating your data in a specific country, you are protected and inherit the rights of that country’s data protection laws. For EU customers and customers around the world, this can be important to satisfying a myriad of new and upcoming data privacy concerns.
Further, ExtremeCloud IQ will be ISO 27701 certified in a few short weeks. This certification is strictly related to information privacy management, and we meet or exceed all ISO standards for data protection.
Take pride in knowing that your data is sovereign, it’s protected, and at Extreme, we’ll protect it like the King/oil/currency/ lifeblood of your organization that it is.