Story image

Three things companies must know about data sovereignty when moving to cloud

19 Apr 17

I hear it nearly every day – the lament of teams trying to transform their enterprise from '80s-era software to the cloud: “Our state (or country, or regional authority) says that data can never leave our jurisdiction, which means we can’t store it in the cloud.”

It’s true that data sovereignty presents technical and legal challenges when moving on-premises systems and information stores to the cloud.

There is no United Nations resolution, European Union mandate, or international trade agreement that provides one blanket set of data sovereignty requirements that all countries follow.

Privacy and data-hosting laws vary by country and state, and some are more strict than others.

The thought of trying to navigate this international legal maze sounds complicated and time-consuming. It doesn’t have to be.

The solution is not to delay or cancel cloud migration efforts, but rather to examine three key considerations at the outset: where your data will reside, what’s in the fine print, and whether your cloud services providers are transparent.

This all sings the same tune as recent guidelines issued by the Monetary Authority of Singapore that urge financial services to take a risk-based approach when managing cloud outsourcing risks.

We’ve seen enterprises try to govern with an iron fist and block the use of cloud services – reminiscent of the enterprises a decade earlier that tried to block the use of the Internet.

Enterprises are increasingly adopting cloud-based services in order to take advantage of the many business benefits of not having to purchase, manage, upgrade, and replace systems and applications.

Of course, all that data still has to “live” somewhere. But because a primary goal of using cloud computing is to create anytime-anywhere access to information and systems, most customers don’t give much thought to where their data is stored.

hat needs to change.

Location, location, location

The strictest data sovereignty laws, like those in Germany, France, and Russia, mandate its citizens’ data is stored on physical servers within the country’s physical borders.

There are even some specific industries – governments come to mind – that demand the same. For example, certain United States federal agencies require their data be stored exclusively within the United States.

The good news for enterprise IT and legal departments is that they can leave the responsibility of complying with these laws to their cloud services providers.

That’s why the opening of new cloud data centers globally is occurring at a pace once reserved for new Wal-Mart store locations.

The chances are very good that, if you do your research, you can identify a cloud services provider whose data center locations ensure you comply with all applicable data sovereignty laws.

Just as in real estate, location is the first factor to consider regarding data sovereignty when migrating to the cloud.

A good place to start will be to check if your potential service provider is certified against local standards.

In Singapore, this is the Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584, which is the world’s first cloud security standard that covers multiple tiers of cloud security.

Having a level-3 certification for example, would mean that they are certified to handle highly sensitive data such as patient records.

Perform your due diligence

The second is what’s in the fine print. Carefully review your local laws and the SLA of your cloud contract. Then have conversations with all applicable internal departments to gain an understanding of the root causes of all data sovereignty concerns.

When I work with a company on its cloud migration strategy, and I am told that there is a government policy to keep data out of the cloud, I ask for the specific wording. Often, if they can’t provide that information to me, they haven’t done the research.

So we have to dig deeper.

Banning the use of cloud invariably leads to a world of shadow IT that seeps into the organization

I’ll ask: “Can you exchange email with entities outside of your company or region? Do you store any data outside your company or country with partners or suppliers? Do you use any other cloud services like, Box, NetSuite, Amazon Web Services, Microsoft Azure, etc.?”

In many cases, the answers to all three of these are “yes.”

Demand vendor transparency

This brings us to the third key consideration regarding data sovereignty and the cloud: security and control. Often it’s not complying with the laws that cause an enterprise to shy away from the cloud.

Rather, it’s the fear of no longer having complete control over who manages company confidential data or personally identifiable information (PII) data. That’s not to say there are no valid considerations with respect to data privacy.

For example, countries within the European Union (EU) have restrictions on the transfer of PII data to countries outside of EU. In other cases, however, the objective may simply be normative.

The legal or HR team may be uncomfortable with specific company information being kept outside of their entity.

Therefore, choose a vendor who is transparent and you trust to both ensure you are in compliance and will protect your data from prying eyes. Look for these security and control capabilities when evaluating vendors:

  • End-to-end encryption: Ensure the encryption of all data in-transit across the Internet and stored at-rest in the cloud.
  • You hold the keys: Encrypt data on-premises before it ever traverses the Internet to your cloud provider’s data center.
  • Sophisticated access controls: Role-based authentication and other granular user controls that control what exact data each user can and cannot see.

Given the financial benefits, innovation, and momentum behind cloud computing, packing up the cloud and going home seems an unlikely outcome.

We’ve seen enterprises try to govern with an iron fist and block the use of cloud services – reminiscent of the enterprises a decade earlier that tried to block the use of the Internet.

Banning the use of cloud invariably leads to a world of shadow IT that seeps into the organization and results in a lack of resource control as well as data security and compliance issues.

Data sovereignty laws should not limit the adoption of cloud-based services. In fact, it can have the opposite effect by compelling cloud vendors to be transparent.

Follow these recommendations to work through data sovereignty concerns and make full use of modern cloud computing services.

Move out of that 1980s technology stack and into the world of the cloud – you can get there with knowledge and a trusted vendor.

Article by Jimmy Fitzgerald, vice president and general manager, Asia-Pacific & Japan, ServiceNow

Will 2019 be the year of network evolution?
An A10 Networks exec talks 5G, software-defined networks, and the continuing evolution needed for a modern cloud environment.
ZTE takes the lead in the global race to 5G
ZTE took the lead in completing the IMT-2020 third phase 5G test for core network performance stability and security function.
IDC: Relevance is combining strategy, creativity and IT services
IDC reveals the Top 10 Asia/Pacific predictions to impact IT and business services sourcing in 2019 and beyond.
How IIoT is creating opportunities for RFID companies
The growing demands for automation and digitisation are creating considerable growth opportunities for RFID vendors.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
Exclusive: Why Australia’s IT industry needs to invest in SMBs
"With SMBs generating employment for over five million Australians, it comes as no surprise that they play a vital role in the nation’s economy."
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.