Cloud Data Sovereignty
It seems that everything has unintended consequences – whether positive or negative. Intended consequences are those that are chosen. Unintended consequences are forced upon us. The consequences surrounding data sovereignty regulations are no different.
The adoption of cloud computing has had a significant impact on the way governments, businesses and other organizations look at data. It has made geopolitical barriers ambiguous. As a result, governments have put in place regulations to control and keep customer and employee information within the nation they live within.
Recently, I was asked about the impact of Brexit on data sovereignty regulations in the United Kingdom and European Union. It seems that unless the UK adopts and follows new rules – and they are approved by the EU, companies in the UK may lose their right to process data of EU consumers within the UK, and may even have to transfer information back to data centers in the EU. And, this may be the case, even if the UK adopts the same data-protection standards as the EU’s new General Data Protection Regulation. Much on this is yet to be seen.
It makes sense that governments have laws to protect the data of the consumers and organizations that reside within their boundaries. However, data privacy laws restrict what data – and where data – may be stored and transmitted. However, there is no global standard, and a result, businesses struggle to understand the differing, and sometimes incongruous requirements, laws and regulations that exist.
The unintended consequences are real. Businesses may face regulatory action, disruption and new internal controls to properly process, handle and store this data.
Three key items businesses need to consider about managing data sovereignty include:
Most organizations simply don’t have the time to navigate through the jungle of country-specific rules and regulations. It is too complicated, nuanced and time-consuming. This may be one reason, as indicated in a recent survey we conducted — where respondents said that 89 percent of cloud-first companies say they lacked necessary skills to shift to cloud-first — why cloud adoption is lagging in many industries and geographies.
However, organizations need not delay or cancel cloud migration efforts. They can choose their intended consequences by continuing to evaluate and adopt cloud-based services to take advantage of the business benefits of the cloud: Using the cloud to create anytime-anywhere access to information and systems.
It is essential to create compliance policies and processes that can scale with the ever-changing requirements. As you create your policy, know if the countries you do business in – or plan to do business in – have rules and regulations regarding data sovereignty. Compile a list of the relevant legislation. Each nation, industry and business differs.
While maintaining compliance may be an afterthought in many businesses, it must be a priority to make sure it happens. If it is not prioritized in your organization, you must determine whether you will manage it on your own, allow your vendors to manage or if you have internal resources that will manage it.
Regardless, policies should be flexible enough to change over time and allow the organization to scale.
For example, if you determine to have your vendor manage data sovereignty, you should ensure that they have resources in the right locations to do this properly and that they can verify and report back to you that regulated data does and will exist only in allowed locations.
The strictest data sovereignty requirements come in two forms: laws and industry regulations. Governments like France, Germany and Russia have some of the strictest laws regarding the data of its citizens. These laws require that data will be stored on physical servers within their country.
Finance, healthcare and government industries also have similar requirements about where the data will reside and how it is accessed. Some of this is driven by laws and regulations, others by the industry itself.
The good news for enterprise IT and legal departments is that they can leave the responsibility of complying with these laws to their cloud services providers – provided that data centers are in the right location.
When I was a kid, there were 7-Eleven’s on just about every major corner. Now it is Starbucks. Cloud data center growth is rivaling this – opening globally at a pace that is as fast as how often a new Wal-Mart store is opened in the US.
Many companies, including ServiceNow, are opening data centers across the globe at an every-increasing pace. Most of these companies are setting up data centers in countries and regions where there are specific needs and requirements for data sovereignty to assist their customers to comply with these rules.
Organizations that form a partnership with their vendors to help them understand and meet the various laws and rules are more successful at being in compliance.
Due diligence into cloud services providers and their data center locations is a must so that you don’t have to worry as much about what applicable data sovereignty laws are and that you are in compliance with them. The vendor can help significantly.
(Image Source: Wikipedia)
Finding a vendor that will comply with the policies set forth and one that is transparent is key. You should not only carefully review local laws but also you should fully understand the SLA of the contract with your cloud provider.
While there is sometimes concern around data sovereignty that causes companies to delay cloud migration, it is more specifically often the fear of the lack of security and control.
Organizations want to have complete control over how confidential data or personally identifiable information data is managed. You should select vendors who are transparent and that you trust. This is key to ensuring compliance, and to make sure that the vendor will protect the data. You should mandate that the vendor puts in place end-to-end encryption and sophisticated access controls as basic security and control capabilities. They should also ensure that they data is encrypted on premise before it even moves to a data center.
Because of all the benefits of cloud computing, along with the innovation it provides an organization, enterprises must take an active role in ensuring compliance with data sovereignty laws and regulations.
Banning the use of cloud is the wrong approach. We learned a decade ago that those who try to block the use of the internet – and in this case cloud services – will face employee backlash, loss of resource control, loss of business and eventually security and compliance issues.
Data sovereignty laws should not limit, but speed up the adoption of cloud-based services and ensure the transparency of cloud providers. Companies who don’t do this now face unintended consequences. Companies who actively plan and work with their cloud service provider to manage data sovereignty will see the planned consequences come to fruition and be much more competitive.
By Allan Leinwand, CTO at ServiceNow