Data sovereignty and moving to the cloud

Data sovereignty presents technical and legal challenges when moving on-premises systems and information stores to the cloud.

There is no United Nations resolution, European Union mandate, or international trade agreement that provides one blanket set of data sovereignty requirements that all countries follow. Privacy and data-hosting laws vary by country and state, and some are more strict than others.

The thought of trying to navigate this international legal maze sounds complicated and time-consuming. It doesn’t have to be.

>See also: The 3 new rules for data sovereignty: location, location, location

The solution is not to delay or cancel cloud migration efforts, but rather to examine three key considerations at the outset: where your data will reside, what’s in the fine print, and whether your cloud services providers are transparent.

Enterprises are increasingly adopting cloud-based services in order to take advantage of the many business benefits of not having to purchase, manage, upgrade, and replace systems and applications.

Of course, all that data still has to “live” somewhere. But because a primary goal of using cloud computing is to create anytime-anywhere access to information and systems, most customers don’t give much thought to where their data is stored. That needs to change.

Location, location, location

The strictest data sovereignty laws, like those in Germany, France, and Russia, mandate its citizens’ data is stored on physical servers within the country’s physical borders.

There are even some specific industries – governments come to mind – that demand the same. For example, certain United States federal agencies require their data be stored exclusively within the United States.

The good news for enterprise IT and legal departments is that they can leave the responsibility of complying with these laws to their cloud services providers. That’s why the opening of new cloud data centres globally is occurring at a pace once reserved for new WallMart store locations.

>See also: Cloud service providers key to avoiding data regulation penalties

The chances are very good that, if you do your research, you can identify a cloud services provider whose data centre locations ensure you comply with all applicable data sovereignty laws.

Just as in real estate, location is the first factor to consider regarding data sovereignty when migrating to the cloud.

Perform your due diligence

The second is what’s in the fine print. Carefully review your local laws and the SLA of your cloud contract. Then have conversations with all applicable internal departments to gain an understanding of the root causes of all data sovereignty concerns.

Banning the use of cloud invariably leads to a world of shadow IT that seeps into the organisation

“Can you exchange email with entities outside of your company or region? Do you store any data outside your company or country with partners or suppliers? Do you use any other cloud services like, Box, NetSuite, Amazon Web Services, Microsoft Azure, etc.?” In many cases, the answers to all three of these are “yes.”

Demand vendor transparency

This brings us to the third key consideration regarding data sovereignty and the cloud: security and control. Often it’s not complying with the laws that cause an enterprise to shy away from the cloud.

Rather, it’s the fear of no longer having complete control over who manages company confidential data or personally identifiable information (PII) data. That’s not to say there are no valid considerations with respect to data privacy.

For example, countries within the European Union (EU) have restrictions on the transfer of PII data to countries outside of EU. In other cases, however, the objective may simply be normative.

>See also: When big data and Brexit collide what will it mean for data sovereignty?

The legal or HR team may be uncomfortable with specific company information being kept outside of their entity.

Therefore, choose a vendor who is transparent and you trust to both ensure you are in compliance and will protect your data from prying eyes. Look for these security and control capabilities when evaluating vendors:

  • End-to-end encryption: Ensure the encryption of all data in-transit across the Internet and stored at-rest in the cloud.
  • You hold the keys: Encrypt data on-premises before it ever traverses the Internet to your cloud provider’s data centre.
  • Sophisticated access controls: Role-based authentication and other granular user controls that control what exact data each user can and cannot see.

Given the financial benefits, innovation, and momentum behind cloud computing, packing up the cloud and going home seems an unlikely outcome.

Enterprises can try to govern with an iron fist and block the use of cloud services – reminiscent of the enterprises a decade earlier that tried to block the use of the internet.

Banning the use of cloud invariably leads to a world of shadow IT that seeps into the organisation and results in a lack of resource control as well as data security and compliance issues.

Data sovereignty laws should not limit the adoption of cloud-based services. In fact, it can have the opposite effect by compelling cloud vendors to be transparent.

Follow these recommendations to work through data sovereignty concerns and make full use of modern cloud computing services. Move out of that 1980s technology stack and into the world of the cloud – you can get there with knowledge and a trusted vendor.


Sourced by Allan Leinwand, chief technology officer, EMEA at ServiceNow

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics