Companies that are adopting public cloud are rightfully excited about the world of benefits this can bring to their businesses. Operating in the cloud, they can, among other things, access, share and process data in real time, across departments, with partners, across borders, and generate insights with greater flexibility and scalability than is feasible when operating exclusively in on-premises environments.
However, the excitement over these benefits is often tempered by the fear, uncertainty and doubt (FUD) created by the complex and changing nature of data sovereignty and national data protection requirements. This element of FUD is often seen, and used, as a roadblock to cloud adoption by those concerned that the risk outweighs the benefits. But the risk of not meeting data sovereignty and protection provisions, like any risk, can be effectively mitigated with some planning and forethought.
While taking advantage of cloud’s “anytime, anywhere” access to data and applications, companies still need to adhere to real-world compliance rules that are changing year to year. Different countries have different laws and regulations relating to the way customer data is stored, managed and shared. Companies that break these rules – wittingly or unwittingly – face stiff fines. So…
- How does this new world of data sovereignty work?
- How do you comply with complicated and evolving sets of rules?
- Who is responsible – you or the cloud provider?
These are important questions for companies to consider as they look to leverage public cloud.
Understanding Data Sovereignty
Data sovereignty focuses on the idea that data has a national “home.” In recent years the common understanding of data sovereignty has evolved to mean the laws and governance structures that apply to data collected within, or owned by citizens of, a particular nation. Countries have always had rules governing the storage and transfer of sensitive data, such as military information. That is still the case. What has changed is the application of far-reaching laws requiring the protection of data connected to a country’s citizens – whether that data resides inside the country’s national borders, or on servers or storage services elsewhere around the world.
In the days of on-premises computing, data requirements used to be easy to navigate. Data would be stored in data centers, and data gravity generally kept it there. Today, in the cloud, data is stored in different places and accessed across borders, forcing companies to pay close attention to how they are managing their data in different locales.
The most publicized and far-reaching set of data regulations is the European Union’s General Data Protection Regulation (GDPR). But there are dozens more – from the China Cybersecurity Law, to Brazil’s General Data Privacy Law, to Japan’s Personal Information Protection Act, to Chile’s Law for the Protection of Private Life. In addition, Europe has separate privacy laws in 28 countries; the U.S. has more than a dozen regulations that apply to cloud-related data (including HIPAA, FERPA and the USA PATRIOT Act); and more than two dozen other nations are developing their own data sovereignty regulations.
Couple this with the fact that some nations’ data sovereignty laws are difficult to interpret and even harder to keep up with. The China Cybersecurity Law, for example, requires companies to follow localization requirements for what the government calls “important data.” But the definition of “important data” can be, and has been, interpreted in different ways, leading to uncertainty about steps cloud operators and cloud consumers need to take to operate in the Chinese market.
Taking Steps to Comply
So, what should companies storing data in the public cloud do to ensure they are complying with data sovereignty laws? The answer depends, in part, on whether they are planning to sign on with one of the large public cloud platforms or with another service provider. The large platform providers – AWS, Microsoft Azure and Google Cloud Platform – all have robust programs in place to support compliance with data residency requirements. With other cloud service providers, you need to exercise proper due diligence, as their abilities can be inconsistent with regard to supporting data sovereignty compliance.
If you are considering working with a service provider other than the big three, be prepared to gather answers to a few key questions. First, you need to know where a provider’s data center – or data centers – are located. Certain countries – Russia, China and others – require data to be housed within their borders. How is the data being protected in that environment, both physically and logically? How is encryption handled? Who has access to the keys? And what systems does the provider have in place to ensure that the data does not leave that particular locality? How is data access monitored and alerted? Companies should understand how they plan to use and share their own data, and make sure the service provider has systems in place that answer the above questions. That will determine whether the service provider can comply with regulations in countries where your company plans to do business. Consider using the Cloud Security Alliance Consensus Assessments Initiative (CAI) questionnaire to help guide you through your evaluation.
As for the three major cloud providers, they have all the tools on hand for you to set up a data protection strategy that complies with the core requirements of the data sovereignty laws you are facing. While these major providers give you the tools, it is your responsibility to use them to protect your data as required. This is akin to giving you a tool belt if you were remodeling a room. You cannot remodel the room unless you learn how to use the tools and then put them into action.
To create a data protection strategy which supports your data sovereignty needs, we recommend following these nine steps:
- Understand the applicable data residency requirements for your business. Be conservative, and consider data residency requirements for any location where your company operates or has a base of customers. Consult with your legal and/or compliance teams to review your interpretation of these requirements.
- Define your data assets. Take inventory of all data assets and classify them. Identify those assets that may contain consumer and other private citizens’ data, and any data from highly restrictive countries.
- Ensure you have a mechanism for tagging this data with its classification. Service providers should support tagging and provide rules engines to help manage such data.
- Leverage service provider capabilities to limit where restricted data can be located.
- Deploy “least privileged access” controls to limit access to these data sets.
- Monitor access to sensitive data and log all activity.
- Encrypt all your data. Service providers will have keys and other tools to perform base-level encryption. Check to determine if a specific country requires stricter practices with certain kinds of data.
- Develop a key scoping process. You can determine that you need a key that protects specific data assets or data that might touch a certain geography. That will give you the ability to customize rules to protect data specific to a particular country.
- Develop a compliance monitoring plan. If your data leaves the region, you have the ability to monitor when it leaves, so you can manage it and ensure that it stays in compliance.
Right now, it is a challenge to navigate all the rules individual countries are developing to ensure their own citizens’ data is being protected to the fullest extent. There are no universal, global standards around data sovereignty on the horizon, and regulations will be getting more stringent. While having one set of rules across all countries would simplify moving to the cloud, nations have their own interests at heart. The challenge will be for them to drop trade barriers, while protecting their national interests.
Developing a structured approach to data protection, including classification, tagging, encryption and monitoring, makes it easier to address data sovereignty needs. Ongoing diligence about which regulations apply to your customer base and operating environment is essential. In addition, your team must understand the tools and capabilities made available by your cloud service provider to help meet your needs. But with our nine-step approach, you can adjust your core data protection strategy to meet any future changes in data sovereignty rules. And once the fear, uncertainty and doubt about data sovereignty are removed, your company can accelerate its cloud adoption and start to realize all the value of cloud’s capabilities.