Data Sovereignty: How to Make It Work in a Cloud-first World
The matter of data sovereignty is one that both enterprises and cloud providers wrestle with today as cloud services have gone mainstream. Let’s explore how organizations can address data sovereignty issues in the cloud.
In our post-Covid world, IT departments are allotting significant resources to the management of endpoint device data. With data stored in the cloud – and an explosion of endpoint devices acting as extensions – many companies have shifted towards moving the primary home of their data from the endpoint devices to a cloud. As a result, data sovereignty becomes an issue and brings with it a unique set of challenges with enterprise data residing in multiple locations. This article by Tim DaRosa, CMO, Zadara takes a look at the strategies businesses can take to ensure they are adhering to data sovereignty rules.
A flood of ‘cloud-first’ strategies continues to gain momentum as critical business functions are continuously being migrated to the cloud. The trend of adoption of cloud technologies by organizations of all sizes has opened up markets that might not have made sense to a cloud vendor just a few years ago.
In our post-Covid world, IT departments everywhere are spending time and resources on managing endpoint device data. When an employee gets a new laptop, the IT department must help move data from the old to the new. When a branch office server fails, IT must restore the data from a backup and get operations running again. With data stored in the cloud – and an explosion of endpoint devices acting as extensions – a majority of companies have increasingly shifted towards moving the primary home of their data from the endpoint devices to a cloud.
As a result, data sovereignty brings its own unique set of challenges as enterprise data now resides in more locations than ever before. The same dataset may be subject to different laws depending on where it is collected or located and the legal and financial repercussions of data crossing international borders must be accounted for in a distributed computing model where data is often traveling from one part of the enterprise to another.
Considerations also exist for companies with locations in several countries that might want data to be shared across multiple regions – backup and disaster recovery comes to mind. Many cloud service providers automatically send the data to the closest data center. However, there may be cases where an organization would prefer to limit certain types of data to one region for legal reasons or to ensure data privacy.
Regional Bubbles of Data Sovereignty
Worth noting is that while sovereignty typically revolves around country-level requirements, there has been marked growth in demand for independent countries to band together based on close proximity to one another with an interest in creating regionally sovereign clouds. Country-level clouds have had to be subsidized by governments with substantial commitments to spend over a stated period of time. It is one reason why sovereignty at a regional level, such as Europe, is ostensibly more workable than at an individual country level.
To serve these data management requirements, many cloud providers have established data centers across multiple regions where the physical distance between the user and the datacenter matters. Issues with latency – for example – make it likely that organizations will typically prefer to have their data stored close by, in their own country, or even in their own city to maximize security and performance.
Below is Gartner’s view on the various cloud sovereignty requirements in the modern enterprise (May, 2022).
Source: Gartner
The matter of data sovereignty is one that both enterprises and cloud providers wrestle with today as cloud services have gone mainstream. Data residency, or the physical location of corporate data, is not the only attribute influencing sovereignty. Even if the data is stored in an organization’s home country, the provider hosting it is a company subject to foreign laws. It is important to know if and what data may be accessible to foreign governments under laws of information disclosure, or it may be released to certain parties in case of a lawsuit. Businesses must do their due diligence and ensure that they are aware of their cloud provider’s legal status and understand the potential for their data to be exposed.
Organizations must also be aware of the industry-standard security best practices are applied to data storage, including IT security and physical security measures. Multi-factor authentication, even surveillance at the data center for entry, are to be expected to ensure compliance with best practices.
As recently reported in The New York Times, more than 50 countries are seeking to further control the digital information produced by their citizens, government agencies and corporations. Security, privacy concerns, economic interests, even border disputes have governments doing the best they can to create a fence around the data within their borders while creating standards about where that data can and cannot go.
See More: Is It Time to Put Your Data Strategy on a Diet?
Data Sovereignty Needs To Be Strategic
All data has to be situated somewhere. But this may be paradoxical as the essence of cloud computing is to create anytime-anywhere access to information and systems. This may pose a challenge especially in countries with strictest data sovereignty laws. In Germany and Russia for example, private personal data of citizens’ are required to be stored on physical servers inside their physical jurisdiction.
The issues surrounding data sovereignty- ownership of data, control over where that data resides and is shared, and privacy – are creating a need for technologists, governments, and data owners to come together and decide what is acceptable and compliant. As more organizations look for cloud computing solutions pre-built to solve the particular sovereignty issues they face, cloud providers will continue to chase the associated learning curve, providing best practices and solutions as they become available.
MORE ON DATA MANAGEMENT:
