How To Address Data Sovereignty In The Cloud

Download (0)

Full text




Organizations looking to benefit from the scalability, agility, and capital cost savings of cloud computing inevitably encounter the issues of data privacy and security. In the corporate data center, data security and privacy are mostly about protection from hackers and insiders. In the cloud, however—public, community, hybrid, and sometimes even private-- they are also affected by where data resides and the impact of local, regional, and national regulations on the privacy of that data--an issue known as data sovereignty.

The romantic image of the cloud is that of a nebulous place somewhere where data and applications float freely—exactly where doesnʼt concern the user. The reality, however, is that cloud providers house infrastructure, platforms, data, and applications in data centers just like everyone else, and where those data centers reside affects which nation, state, or locality has legal sovereignty over and thus potential access to that data. Organizations looking to store any data or applications in the cloud, including via software as a service (SaaS), need to take these and other compliance concerns into account when deciding what to put in the cloud, what type of cloud to put it in, and what provider they intend to use.


One of the biggest catalysts for concerns about data sovereignty has been U.S. anti-terrorist legislation such as the Patriot Act, the Foreign Intelligence Surveillance Act (FISA), and extensions to the latter signed into law recently. These laws give U.S. intelligence and law enforcement agencies unprecedented leeway in requesting information held in U.S. data centers as part of terrorism investigations, including data held by foreign organizations in the U.S. Similar

regulations exist in other countries, including Australia. There are also international treaties that affect the subpoena and surveillance of data belonging to U.S. and sometimes foreign organizations stored in data centers outside the U.S. The legal implications of these acts for foreign and domestic organizations are complex, evolving, and often not well understood. And perhaps worse, they sometimes conflict with data privacy legislation in the European Union and Australia requiring organizations to let users know who has access to their data. More recent European legislation has even required certain organizations to keep customer data within the country of origin. And of course there are other compliance issues that come up wherever data is located.

Aside from anti-terrorist legislation, there are also Federal, state, and local tax laws that affect transactions taking place in U.S. data centers, including those of organizations based abroad. They are equally varied, complex and evolving.

Finally, data stored in the U.S. may be subject to U.S. laws regarding data retention and discovery. And any disputes arising from U.S. based cloud services may fall under U.S. law. The same is true for foreign based services used by U.S. organizations.

Data sovereignty has become a particularly important issue for organizations based outside the U.S., because most of the major cloud services, such as Amazon Web Services, Rackspace, and others, are U.S. based and host infrastructure and/or store data in U.S. data centers. Many of these services have data centers outside the U.S. as well, but standard cloud service contracts often give customers little to no control over where their data or the cloud infrastructure they make use of resides.

Under these circumstances many organizations choose to avoid housing any sensitive production data or applications in the cloud. However, such a move may limit their IT options and competitive position unnecessarily. It doesnʼt necessarily solve the problem either, as organizations may not be aware that their in-house developers run test beds or applications in the cloud that make use of sensitive data. In other cases an organization may already be using the public cloud during peak load periods. It may be using a cloud service for backup or disaster recovery. Or IT may not be aware that there are internal departments taking advantage of cloud services, including software as a service applications (SaaS) such as, without ITʼs full knowledge or permission. Sensitive data stored internally but used externally by SaaS may be vulnerable and subject to data sovereignty concerns.

So how does an organization looking to take advantage of the cloud address the risks and other issues of data sovereignty? Here are some basic steps to take when addressing the issue of data sovereignty in the cloud.


ALL OR NOTHING? Learn more at call(US) +1 877 262 3473 (UK) +44 800 500 3167



A good first step to addressing cloud data sovereignty issues is to do a risk analysis of any data and applications that either reside in the cloud today or may reside there at some time in the future. Classify which and how much data is high, medium, and low risk in terms of privacy and security. Some organizations classify data as either private, restricted, or public.

IT cannot do this alone. Itʼs essential that representatives of the business and legal units be involved in the classification process as they often can best judge which data has which level of sensitivity. Compliance issues should be taken into account as well, which is why legal counsel should be involved.

High-risk data usually includes any type of customer or client information, including names, addresses, numbers, email addresses, and of course credit card information. The same goes for employee and other human resource information. Any financial records should be analyzed carefully both in terms of business and regulatory risk. And email and other types of business records should be considered, not to mention any documents and other data that may involve intellectual property.

IT should conduct discussions with members of the various business units to discover cloud services used by those departments and their employees as well. This may sound like a lot of effort. However, itʼs an essential step, not just for addressing data sovereignty, but for general IT security and compliance as well. Users may be unaware that the data involved may be vulnerable to attack or subject to regulations such as HIPAA. Finally, disaster recovery and software testing and development should be considered as well as these folks may be using recent sensitive data and the cloud as part of their testing or backup environment.

Once IT has classified data according to high, medium, and low risk, a determination should be made as to how much high and medium risk data is either currently or likely to end up somewhere in the cloud at some time in the future. Itʼs important to consider not just data stored in the cloud, but data used by SaaS and software testing, as well as any applications you may be running in external data centers.

If you have no intention of letting any sensitive data into the cloud and feel you can actually accomplish that goal, then it may not matter where your data is stored. Keep in mind, however, that by doing so you may be limiting important options could make your organization more agile and competitive. If it seems inevitable that some sensitive data will end up in the cloud, then you need to be very careful which cloud providers you choose to work with.

There are many criteria to take into account when evaluating a cloud provider that have no bearing on data sovereignty. As part of your data sovereignty investigation, however, you should take into account these criteria.



(5) Learn more at call(US) +1 877 262 3473 (UK) +44 800 500 3167

Any organization concerned about sensitive information should make sure the cloud providers itʼs considering are used to dealing with organizations with similar concerns. One way is to ask for some examples of existing customers likely to have similar concerns about data privacy and sovereignty as your organization. If the provider has large enterprise or government agency customers, thatʼs a good sign.

Make sure the provider reacts the way it should to questions about data sovereignty. Are they familiar with the issue, used to those types of questions, and able to provide their own informed perspective and advice on ways to address data sovereignty issues?

Where are the cloud provider data centers located? If youʼre a company based in the UK or Canada with concerns about data sovereignty, for example, which of your short list of cloud providers offers data centers in those countries? If the answer is none, or if all their data centers are located in one country or region, you may want to go elsewhere.

Otherwise itʼs important to conduct a thorough analysis of the data sovereignty issues involved with their data center locations. How likely is it, based on national, regional and local regulations, that an intelligence or law enforcement entity would have the legal authority to monitor or request data stored in those locations? Itʼs important not to simply limit your consideration to whether you think itʼs likely your data would be monitored or requested. What are the tax implications, if any, of storing data or running transactions in those locations? There may be local, state, province, or other regulatory and tax implications as well. What treaties do those countries have with others regarding data sovereignty?

Most likely an organization with data sovereignty concerns will not want a cloud provider that relies solely on standard contracts. Look for providers that are willing to negotiate with an understanding of your business and data sovereignty needs. Chief among your concerns will be finding a provider that not only lets you choose where you want your data or applications located, but has an established record of complying with those contract terms. In your negotiations try to get a feel for the providerʼs awareness of the data sovereignty aspects of their data center locations and what they might mean for your business. And make sure you ask questions about that providerʼs disaster recovery practices to ensure your sensitive data wonʼt be backed up, snapshot, or replicated to locations with other data sovereignty implications.

Part of your contract should be a requirement for immediate notification if the provider plans to make any changes in data center and backup locations. And look into what will happen to your data if you discontinue the service. What measures will the service take to eradicate your data from their systems and storage?





As Ronald Reagan liked to say, trust but verify. Having assurances that your data is stored in a particular location is not enough. You want to be able to verify this is the case. Work with a provider that is willing to be subject to an audit of where your information is stored, including backup and disaster recovery. Check if theyʼll allow you to visit the data centers that house your data and applications. Look for provider monitoring tools and portals that allow you to verify location and perhaps even APIʼs that allow you to plug in your own management tools for this and other purposes.

For this and other security purposes you should strongly consider encrypting all your sensitive data in transit and at rest in the cloud. Check into the encryption options offered by the provider or consider the option of encrypting the data before it leaves your premises if possible.

This is pretty obvious but there are many other data security and compliance concerns besides data sovereignty that should be considered and wonʼt be discussed here. Suffice it to say that there are some providers that take enter-prise level security more seriously than others.

There are certainly risks to housing applications and data in the cloud, particularly when the provider is based abroad. However, the business advantages of cloud computing are too great to ignore for most organizations struggling with shrinking budgets, emerging technologies, and cloud enabled competitors. By taking a careful, methodical approach to analyzing risk and choosing a cloud provider, you can reap the benefits of cloud computing while bringing the risks down to an acceptable level.





Media Contact

Sarah Hawley Ubiquity PR +1 480 292 4640