ktsdesign - stock.adobe.com
Data sovereignty pertains to country-specific regulations that any data collected or processed must be subject to the laws of that country. This concept is different from data residency, which is a business prerogative on where data is stored, although data residency typically mirrors any data sovereignty laws that exist in a country.
The advent of cloud has made data sovereignty implications and implementation much more complicated. For instance, consider what it means for a U.S. enterprise using cloud infrastructure from a provider in the U.K. that also has customers in the EU. Data collection may happen in Italy and, therefore, be subject to the data sovereignty rights of Italy, but since the data is stored in the U.K., it would be subject to the data sovereignty rights of the U.K. as well. To further complicate matters, if data backup happens in Ireland, it will be subject to the data sovereignty rights in that country too.
Confused yet? Given the complicated landscape that data sovereignty in the cloud exposes, it is prudent for enterprises to stay aware and compliant. Here are three ways to achieve this.
1. Look to the cloud
The cloud itself may have the answer. While the major cloud providers, including AWS, Microsoft and others, attribute adoption rates based on customers' focus on cost, availability and flexibility, data sovereignty is a key attribute as well. Most IaaS providers have in-country data centers, which enable that first requirement to be met. In addition, key features, such as encryption and other available security-as-a-service options, enable customers to comply with local regulations.
One major caveat: It is imperative that the appropriate stakeholder within the enterprise understands each specific country's data regulations and assesses and implements the appropriate management tools offered by each provider in order to comply with these regulations.
2. Uniformity is key
Enterprises should implement the strongest of regulations uniformly. If an organization has a global footprint, keeping up with each region's data sovereignty laws it does business in and with is an ongoing challenge.
One way to reduce complexity is to take the strongest of these laws and implement it consistently across all regions, regardless of what other regions require. The cloud can help with this. Assess which cloud providers offer these options -- typically, the larger providers and the ones that focus on particular industry verticals will do it best. This is an investment, but it will pay dividends as many countries with limited data sovereignty laws until recently, such as India, are rapidly investing in laws and infrastructure to catch up with other countries. Taking a stringent data sovereignty approach will reduce the frequency of ongoing updates to the process and implementation.
3. Know where backups reside
Automated backups have become commonplace for most organizations due to availability and security reasons. Add in the ubiquity of cloud -- even just consider Box, Dropbox, Google Drive and OneDrive usage -- and there is likely data sprawl already occurring in every enterprise. By definition, data sovereignty extends to each and every backup -- on-site, IaaS, PaaS and SaaS backups. This involves knowing where these primary, secondary and tertiary backups reside and ensuring they are in compliance with the country's laws as well. This requires a two-part approach:
- Conduct an initial and thorough backup discovery and classification. Based on the results, identify any noncompliance, and either decide to comply, relocate or destroy the backups.
- Ensure ongoing assessment processes are established to ensure compliance.
Data sovereignty laws and regulations are constantly evolving and growing in number and requirements. The data tsunami continues unabated. And cloud adoption is increasing rapidly. Put together, this trifecta offers some hefty challenges. However, with some initial investment and ongoing process implementations, enterprises can get ahead and stay ahead.