Every day a new report suggests that foreign governments and criminal organizations are trawling the cloud for business data that they can either leverage for competitive advantage or hold hostage for ransom. While that may sound far removed from your firm’s cloud operations and footprint, the scale of risk shouldn’t be underestimated.
Even if there’s no criminal intent, businesses must ensure their data remains protected and follows the rules for the regions it’s stored in. Just as a business traveler faces new rules and regulations when they go aboard, the same is increasingly true for corporate data.
Why is cloud data sovereignty important?
With so much data generated every day, it’s crucial that you understand data sovereignty in the cloud.
As different political blocs create various data rules for business and personal information, it creates a landscape of complexity for organizations. Take the EU’s GDPR, countries like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and even individual states or regions like California’s Consumer Privacy Act (CCPA).
If your company uses Google’s or Amazon’s cloud, there’s a chance that some data might end up stored on a server in one of those regions as a backup or operational resource. This is also the case if a business department adopts a new cloud service with servers that happen to be in Russia or an eastern European state, where different rules may apply and security requirements may not be equivalent to those in your home country. If a service claims they own the data stored on their server, your business could find itself in murky legal waters.
The three keys to cloud data sovereignty
Research from our recent cloud security survey found that approximately 50% of IT professionals cited data sovereignty/residency/control as a key concern.
1. Data sovereignty
Data sovereignty refers to the governmental laws, regulatory policies or other rules regarding data privacy for the home geographic location of a business. Usually, equivalent rules must be in place in a third-party provider’s country to protect data.
2. Data localization
These are the rules that state where business data can legally be located. This might be across the EU, but with Brexit in force, British firms could face a different set of rules if data equivalence and adequacy aren’t agreed upon between governments. Note the ongoing argument:
3. Data residency
This relates to the requirements where data must be stored in a specific location for regulatory reasons. This might be due to health/legal confidentiality matters, tax reasons and so on.
How to ensure data sovereignty compliance in the cloud
Organizations need a policy that covers the existing state of its data obligations and can be expanded to cover future data usage as cloud adoption grows.
The company needs to understand which data is stored in the cloud, where that data is kept geographically speaking and where it could end up in the future. With different rules for various types of data, such as personal information, regulated files, financial records and business-critical information, organizations need to understand which person or part of the business created it and is responsible for it and what other rules or implications cloud usage of data creates.
For example, many businesses including Google and Facebook moved UK data from EU servers to US-located ones and changed terms and conditions to reflect this as a result of Brexit. That could change where data is stored, requiring updates to the compliance policy, and if a third-party provider uses a cloud service where data could travel beyond borders, that in theory could require a change of service or provider.
As of 2020, Amazon AWS and Microsoft had UK-based data centers, but as rules and locations change, organizations need to remain up to date with their compliance rules and checks. In more practical terms, businesses also need to establish that data backups, encryption tools and other essentials are all designed to protect data wherever it goes and meet regulations in whatever country the data may be stored.
In an ideal world, it would be best and simplest to locate all cloud data in your home nation across private clouds, but the realities of cloud services make this unlikely. Many companies have six or more cloud service providers, and data crosses many networks.
Therefore, data sovereignty compliance policies are required by all firms to ensure that they can successfully monitor providers and services, ensuring data is securely handled in transit and on servers. As cloud footprints expand, being able to manage this will only work if your business has a strong compliance system in place.
- 5 Cloud Security Gaps Keeping CIOs Up at Night
- Manage Risks and Ensure Security: 5 Cloud Governance Tips
- Understanding Cloud Security Responsibilities and Best Practice
- The Cloud Security Buyers Guide
Join the conversation...