Skip to content
CTP is part of HPE Pointnext Services.   Explore our new services here →
  • The Doppler Report
Cloud TP Logo
  • Thought Leadership
  • Clients
  • Services
  • Careers
  • Contact Us

Cloud Technology Partners

CLOUD SERVICES

  • The Cloud Adoption Program
  • Application Migration
  • Software Development
  • Infrastructure Modernization
  • DevOps & Continuous Delivery
  • Cloud Security & Governance
  • Cloud Strategy Consulting

TECH DOMAIN

  • Amazon Web Services
  • Google Cloud Platform

ABOUT US

  • Company Overview
  • Leadership Team
  • Partners
  • News & Recognition
  • Announcements
  • Weekly Cloud Report
  • Client Case Studies
  • Events

CAREERS

  • Join Us
  • Job Opportunities
 Cloud Technology Partners
  • Doppler Home
  • Client Case Studies
  • Podcasts
  • Videos
  • White Papers
  • Quarterly
  • Events
  • Subscribe

Data Sovereignty in the Cloud: the Nine-Step Solution

As regulations get more stringent, what should companies storing data in the public cloud do to ensure they are complying with data sovereignty laws?
Sean Foley VP, Principal Cloud Architect
June 10, 2019January 22, 2020 THE DOPPLER
Share this 
doppler_mail1

For more content like this, Get THE DOPPLER
email every Friday.
 
Subscribe here  chevron_right

Companies that are adopting public cloud are rightfully excited about the world of benefits this can bring to their businesses. Operating in the cloud, they can, among other things, access, share and process data in real time, across departments, with partners, across borders, and generate insights with greater flexibility and scalability than is feasible when operating exclusively in on-premises environments.

However, the excitement over these benefits is often tempered by the fear, uncertainty and doubt (FUD) created by the complex and changing nature of data sovereignty and national data protection requirements. This element of FUD is often seen, and used, as a roadblock to cloud adoption by those concerned that the risk outweighs the benefits. But the risk of not meeting data sovereignty and protection provisions, like any risk, can be effectively mitigated with some planning and forethought.

While taking advantage of cloud’s “anytime, anywhere” access to data and applications, companies still need to adhere to real-world compliance rules that are changing year to year. Different countries have different laws and regulations relating to the way customer data is stored, managed and shared. Companies that break these rules – wittingly or unwittingly – face stiff fines. So…

  • How does this new world of data sovereignty work?
  • How do you comply with complicated and evolving sets of rules?
  • Who is responsible – you or the cloud provider?

These are important questions for companies to consider as they look to leverage public cloud.

 

Read now
Keep Learning
Check out the Doppler Quarterly for 80+ pages of our best cloud content.

 

Understanding Data Sovereignty

Data sovereignty focuses on the idea that data has a national “home.” In recent years the common understanding of data sovereignty has evolved to mean the laws and governance structures that apply to data collected within, or owned by citizens of, a particular nation. Countries have always had rules governing the storage and transfer of sensitive data, such as military information. That is still the case. What has changed is the application of far-reaching laws requiring the protection of data connected to a country’s citizens – whether that data resides inside the country’s national borders, or on servers or storage services elsewhere around the world.

In the days of on-premises computing, data requirements used to be easy to navigate. Data would be stored in data centers, and data gravity generally kept it there. Today, in the cloud, data is stored in different places and accessed across borders, forcing companies to pay close attention to how they are managing their data in different locales.

The most publicized and far-reaching set of data regulations is the European Union’s General Data Protection Regulation (GDPR). But there are dozens more – from the China Cybersecurity Law, to Brazil’s General Data Privacy Law, to Japan’s Personal Information Protection Act, to Chile’s Law for the Protection of Private Life. In addition, Europe has separate privacy laws in 28 countries; the U.S. has more than a dozen regulations that apply to cloud-related data (including HIPAA, FERPA and the USA PATRIOT Act); and more than two dozen other nations are developing their own data sovereignty regulations.

Couple this with the fact that some nations’ data sovereignty laws are difficult to interpret and even harder to keep up with. The China Cybersecurity Law, for example, requires companies to follow localization requirements for what the government calls “important data.” But the definition of “important data” can be, and has been, interpreted in different ways, leading to uncertainty about steps cloud operators and cloud consumers need to take to operate in the Chinese market.

Taking Steps to Comply

So, what should companies storing data in the public cloud do to ensure they are complying with data sovereignty laws? The answer depends, in part, on whether they are planning to sign on with one of the large public cloud platforms or with another service provider. The large platform providers – AWS, Microsoft Azure and Google Cloud Platform – all have robust programs in place to support compliance with data residency requirements. With other cloud service providers, you need to exercise proper due diligence, as their abilities can be inconsistent with regard to supporting data sovereignty compliance.

If you are considering working with a service provider other than the big three, be prepared to gather answers to a few key questions. First, you need to know where a provider’s data center – or data centers – are located. Certain countries – Russia, China and others – require data to be housed within their borders. How is the data being protected in that environment, both physically and logically? How is encryption handled? Who has access to the keys? And what systems does the provider have in place to ensure that the data does not leave that particular locality? How is data access monitored and alerted? Companies should understand how they plan to use and share their own data, and make sure the service provider has systems in place that answer the above questions. That will determine whether the service provider can comply with regulations in countries where your company plans to do business. Consider using the Cloud Security Alliance Consensus Assessments Initiative (CAI) questionnaire to help guide you through your evaluation.

As for the three major cloud providers, they have all the tools on hand for you to set up a data protection strategy that complies with the core requirements of the data sovereignty laws you are facing. While these major providers give you the tools, it is your responsibility to use them to protect your data as required.  This is akin to giving you a tool belt if you were remodeling a room. You cannot remodel the room unless you learn how to use the tools and then put them into action.

To create a data protection strategy which supports your data sovereignty needs, we recommend following these nine steps:

  1. Understand the applicable data residency requirements for your business. Be conservative, and consider data residency requirements for any location where your company operates or has a base of customers. Consult with your legal and/or compliance teams to review your interpretation of these requirements.
  2. Define your data assets. Take inventory of all data assets and classify them. Identify those assets that may contain consumer and other private citizens’ data, and any data from highly restrictive countries.
  3. Ensure you have a mechanism for tagging this data with its classification. Service providers should support tagging and provide rules engines to help manage such data.
  4. Leverage service provider capabilities to limit where restricted data can be located.
  5. Deploy “least privileged access” controls to limit access to these data sets.
  6. Monitor access to sensitive data and log all activity.
  7. Encrypt all your data. Service providers will have keys and other tools to perform base-level encryption. Check to determine if a specific country requires stricter practices with certain kinds of data.
  8. Develop a key scoping process. You can determine that you need a key that protects specific data assets or data that might touch a certain geography. That will give you the ability to customize rules to protect data specific to a particular country.
  9. Develop a compliance monitoring plan. If your data leaves the region, you have the ability to monitor when it leaves, so you can manage it and ensure that it stays in compliance.

Right now, it is a challenge to navigate all the rules individual countries are developing to ensure their own citizens’ data is being protected to the fullest extent. There are no universal, global standards around data sovereignty on the horizon, and regulations will be getting more stringent. While having one set of rules across all countries would simplify moving to the cloud, nations have their own interests at heart. The challenge will be for them to drop trade barriers, while protecting their national interests.

Developing a structured approach to data protection, including classification, tagging, encryption and monitoring, makes it easier to address data sovereignty needs. Ongoing diligence about which regulations apply to your customer base and operating environment is essential. In addition, your team must understand the tools and capabilities made available by your cloud service provider to help meet your needs. But with our nine-step approach, you can adjust your core data protection strategy to meet any future changes in data sovereignty rules. And once the fear, uncertainty and doubt about data sovereignty are removed, your company can accelerate its cloud adoption and start to realize all the value of cloud’s capabilities.

Share this


Related articles

 

5 Steps to Building a Cloud-Ready Application Architecture

 

6 Reasons Why Your Cloud Strategy Must Include a Plan for Change

By Joey Jablonski

 

Six Key Enablers For Large-Scale Application Migration to the Public Cloud

By Prakash Patil

Related tags

Cloud Strategy   Data Gravity   Data Privacy   GDPR   public cloud

Sean Foley

Sean Foley is a VP, Principal Cloud Architect at Cloud Technology Partners, a Hewlett Packard Enterprise company.

Full bio and recent posts »



Find what you're looking for.

Visit The Doppler topic pages through the links below.

PLATFORMS

AWS
CTP
Docker
Google
IBM
Kubernetes
Microsoft Azure
OpenStack
Oracle
Rackspace

BEST PRACTICES

App Dev
App Migration
Disaster Recovery
Change Management
Cloud Adoption
Cloud Economics
Cloud Strategy
Containers
Data Integration
DevOps
Digital Innovation
Hybrid Cloud
Managed Services
Security & Governance

SUBJECTS

Big Data
Blockchain
Cloud Careers
CloudOps
Drones
HPC
IoT
Machine Learning
Market Trends
Mobile
Predictive Maintenance
Private Cloud
Serverless Computing
Sustainable Computing
TCO / ROI
Technical "How To" Vendor Lock-In

INDUSTRIES

Agriculture
Energy & Utilities
Financial Services
Government
Healthcare
Manufacturing
Media & Publishing
Software & Technology
Telecom

EVENTS

CES
DockerCon
Google NEXT
Jenkins
re:Invent


 

Get The Doppler

Join 5,000+ IT professionals who get The Doppler for cloud computing news and best practices every week.

Subscribe here


Services

Cloud Adoption
Application Migration
Digital Innovation
Compliance
Cost Control
DevOps
IoT

Company

Overview
Leadership
Why CTP?
News
Events
Careers
Contact Us

The Doppler

Top Posts
White Papers
Podcasts
Videos
Case Studies
Quarterly
Subscribe

Connect

LinkedIn
Twitter
Google +
Facebook
Sound Cloud

CTP is hiring.

Cloud Technology Partners, a Hewlett Packard Enterprise company, is the premier cloud services and software company for enterprises moving to AWS, Google, Microsoft and other leading cloud platforms. We are hiring in sales, engineering, delivery and more. Visit our careers page to learn more.

CWC-blue-01

© 2010 - 2019 Cloud Technology Partners, Inc., a Hewlett Packard Enterprise company. All rights reserved. Here is our privacy policy CTP, CloudTP and Cloud with Confidence are registered trademarks of Cloud Technology Partners, Inc., or its subsidiaries in the United States and elsewhere.

Do Not Sell My Personal Information

  • Home
  • Cloud Adoption
  • Digital Innovation
  • Managed Cloud Controls
  • The Doppler Report
  • Clients
  • Partners
  • About CTP
  • Careers
  • Contact Us
  • Most Recent Posts
  • All Topics
  • Podcasts
  • Case Studies
  • Videos
  • Contact
Our privacy statement has been changed to provide you with additional information on how we use personal data and ensure compliance with new privacy and data protection laws.  
Please take time to read our new Privacy Statement.
Continue