The Unintended – and Intended – Consequences of Cloud Data Sovereignty

Allan Leinwand

Cloud Data Sovereignty

It seems that everything has unintended consequences – whether positive or negative. Intended consequences are those that are chosen. Unintended consequences are forced upon us. The consequences surrounding data sovereignty regulations are no different.

The adoption of cloud computing has had a significant impact on the way governments, businesses and other organizations look at data. It has made geopolitical barriers ambiguous. As a result, governments have put in place regulations to control and keep customer and employee information within the nation they live within.

Recently, I was asked about the impact of Brexit on data sovereignty regulations in the United Kingdom and European Union. It seems that unless the UK adopts and follows new rules – and they are approved by the EU, companies in the UK may lose their right to process data of EU consumers within the UK, and may even have to transfer information back to data centers in the EU. And, this may be the case, even if the UK adopts the same data-protection standards as the EU’s new General Data Protection Regulation. Much on this is yet to be seen.

It makes sense that governments have laws to protect the data of the consumers and organizations that reside within their boundaries. However, data privacy laws restrict what data – and where data – may be stored and transmitted. However, there is no global standard, and a result, businesses struggle to understand the differing, and sometimes incongruous requirements, laws and regulations that exist.

The unintended consequences are real. Businesses may face regulatory action, disruption and new internal controls to properly process, handle and store this data.

Don’t delay

Three key items businesses need to consider about managing data sovereignty include:

  • Policy
  • Location
  • Vendors

Most organizations simply don’t have the time to navigate through the jungle of country-specific rules and regulations. It is too complicated, nuanced and time-consuming. This may be one reason, as indicated in a recent survey we conducted — where respondents said that 89 percent of cloud-first companies say they lacked necessary skills to shift to cloud-first — why cloud adoption is lagging in many industries and geographies.

However, organizations need not delay or cancel cloud migration efforts. They can choose their intended consequences by continuing to evaluate and adopt cloud-based services to take advantage of the business benefits of the cloud: Using the cloud to create anytime-anywhere access to information and systems.

Policy

It is essential to create compliance policies and processes that can scale with the ever-changing requirements. As you create your policy, know if the countries you do business in – or plan to do business in – have rules and regulations regarding data sovereignty. Compile a list of the relevant legislation. Each nation, industry and business differs.

While maintaining compliance may be an afterthought in many businesses, it must be a priority to make sure it happens. If it is not prioritized in your organization, you must determine whether you will manage it on your own, allow your vendors to manage or if you have internal resources that will manage it.

Regardless, policies should be flexible enough to change over time and allow the organization to scale.

For example, if you determine to have your vendor manage data sovereignty, you should ensure that they have resources in the right locations to do this properly and that they can verify and report back to you that regulated data does and will exist only in allowed locations.

Location

The strictest data sovereignty requirements come in two forms: laws and industry regulations. Governments like France, Germany and Russia have some of the strictest laws regarding the data of its citizens. These laws require that data will be stored on physical servers within their country.

Finance, healthcare and Government industries also have similar requirements about where the data will reside and how it is accessed. Some of this is driven by laws and regulations, others by the industry itself.

The good news for enterprise IT and legal departments is that they can leave the responsibility of complying with these laws to their cloud services providers – provided that data centers are in the right location.

When I was a kid, there were 7-Eleven’s on just about every major corner. Now it is Starbucks. Cloud data center growth is rivaling this – opening globally at a pace that is as fast as how often a new Wal-Mart store is opened in the US.

Many companies, including ServiceNow, are opening data centers across the globe at an every-increasing pace. Most of these companies are setting up data centers in countries and regions where there are specific needs and requirements for data sovereignty to assist their customers to comply with these rules.

Organizations that form a partnership with their vendors to help them understand and meet the various laws and rules are more successful at being in compliance.

Due diligence into cloud services providers and their data center locations is a must so that you don’t have to worry as much about what applicable data sovereignty laws are and that you are in compliance with them. The vendor can help significantly.

(Image Source: Wikipedia)

Vendors

Finding a vendor that will comply with the policies set forth and one that is transparent is key. You should not only carefully review local laws but also you should fully understand the SLA of the contract with your cloud provider.

While there is sometimes concern around data sovereignty that causes companies to delay cloud migration, it is more specifically often the fear of the lack of security and control.

Organizations want to have complete control over how confidential data or personally identifiable information data is managed. You should select vendors who are transparent and that you trust. This is key to ensuring compliance, and to make sure that the vendor will protect the data. You should mandate that the vendor puts in place end-to-end encryption and sophisticated access controls as basic security and control capabilities. They should also ensure that they data is encrypted on premise before it even moves to a data center.

Concluding thoughts

Because of all the benefits of cloud computing, along with the innovation it provides an organization, enterprises must take an active role in ensuring compliance with data sovereignty laws and regulations.

Banning the use of cloud is the wrong approach. We learned a decade ago that those who try to block the use of the internet – and in this case cloud services – will face employee backlash, loss of resource control, loss of business and eventually security and compliance issues.

Data sovereignty laws should not limit, but speed up the adoption of cloud-based services and ensure the transparency of cloud providers. Companies who don’t do this now face unintended consequences. Companies who actively plan and work with their cloud service provider to manage data sovereignty will see the planned consequences come to fruition and be much more competitive.

By Allan Leinwand, CTO at ServiceNow

Mary

Leveraging Carrier Ethernet For A Better Connection

Leveraging Carrier Ethernet Determining the Best Cloud Connectivity Solution With the Cloud only being as good as employees’ ability to effectively access it, the overall ...
Flexiant Tony Lucas

There Are Still Opportunities For Service Providers

Opportunities For Service Providers Service providers (SPs) still have a golden, but short-lived opportunity to commercialize the $266.4 billion cloud services market before AWS and others ...
Martin Mendelsohn

New Executive Roles in the Post-Corona Era

Executive Roles in the Post-Corona Era As the global economy shows early signs of reviving from past months of rigormortis, forward-looking companies will be busy ...
Gilad David Maayan

Leveraging Managed Kubernetes to Improve Your Operations

Leveraging Managed Kubernetes Kubernetes simplifies container orchestration, but sometimes companies are struggling with Kubernetes adoption. Many organizations do not have the required expertise to configure ...
Nikolas Kairinos

The growing role of AI in Sales and Marketing

AI in Sales and Marketing  Artificial intelligence (AI) as a Sales and Marketing (SaM) tool to help businesses deliver a better customer experience and secure ...
Dan Saks 1

How the Cloud Will Transform in the Next Decade

Transformative Cloud Silicon Valley is easy to stereotype: the gadgets, the startup perks, the culture and mentality. However, the real reason Silicon Valley captures headlines ...