3
Things Companies must know about Data Sovereignty when Moving to the Cloud
Things Companies must know about Data Sovereignty when Moving to the Cloud
Jimmy Fitzgerald, Vice President and General Manager,
Asia-Pacific & Japan, ServiceNow
Asia-Pacific & Japan, ServiceNow
I hear it nearly every day – the lament of teams trying to
transform their enterprise from ’80s-era software to the cloud: “Our state (or
country, or regional authority) says that data can never leave our
jurisdiction, which means we can’t store it in the cloud.”
transform their enterprise from ’80s-era software to the cloud: “Our state (or
country, or regional authority) says that data can never leave our
jurisdiction, which means we can’t store it in the cloud.”
It’s true that data sovereignty presents technical and legal
challenges when moving on-premises systems and information stores to the cloud.
There is no United Nations resolution, European Union mandate, or international
trade agreement that provides one blanket set of data sovereignty requirements
that all countries follow. Privacy and data-hosting laws vary by country and
state, and some are more strict than others.
challenges when moving on-premises systems and information stores to the cloud.
There is no United Nations resolution, European Union mandate, or international
trade agreement that provides one blanket set of data sovereignty requirements
that all countries follow. Privacy and data-hosting laws vary by country and
state, and some are more strict than others.
The thought of trying to navigate this international legal
maze sounds complicated and time-consuming. It doesn’t have to be. The solution
is not to delay or cancel cloud migration efforts, but rather to examine three
key considerations at the outset: where your data will reside, what’s in the
fine print, and whether your cloud services providers are transparent. This all
sings the same tune as recent guidelines issued by the Monetary Authority of
Singapore that urge financial services to take a risk-based approach when
managing cloud outsourcing risks.
maze sounds complicated and time-consuming. It doesn’t have to be. The solution
is not to delay or cancel cloud migration efforts, but rather to examine three
key considerations at the outset: where your data will reside, what’s in the
fine print, and whether your cloud services providers are transparent. This all
sings the same tune as recent guidelines issued by the Monetary Authority of
Singapore that urge financial services to take a risk-based approach when
managing cloud outsourcing risks.
We’ve seen enterprises try to govern with an iron fist and
block the use of cloud services – reminiscent of the enterprises a decade
earlier that tried to block the use of the Internet.
block the use of cloud services – reminiscent of the enterprises a decade
earlier that tried to block the use of the Internet.
Enterprises are increasingly adopting cloud-based services
in order to take advantage of the many business benefits of not having to
purchase, manage, upgrade, and replace systems and applications. Of course, all
that data still has to “live” somewhere. But because a primary goal of using
cloud computing is to create anytime-anywhere access to information and
systems, most customers don’t give much thought to where their data is stored.
That needs to change.
in order to take advantage of the many business benefits of not having to
purchase, manage, upgrade, and replace systems and applications. Of course, all
that data still has to “live” somewhere. But because a primary goal of using
cloud computing is to create anytime-anywhere access to information and
systems, most customers don’t give much thought to where their data is stored.
That needs to change.
Location,
location, location
location, location
The strictest data sovereignty laws, like those in Germany,
France, and Russia, mandate its citizens’ data is stored on physical servers
within the country’s physical borders. There are even some specific industries
– governments come to mind – that demand the same. For example, certain United
States federal agencies require their data be stored exclusively within the
United States.
France, and Russia, mandate its citizens’ data is stored on physical servers
within the country’s physical borders. There are even some specific industries
– governments come to mind – that demand the same. For example, certain United
States federal agencies require their data be stored exclusively within the
United States.
The good news for enterprise IT and legal departments is
that they can leave the responsibility of complying with these laws to their
cloud services providers. That’s why the opening of new cloud data centers
globally is occurring at a pace once reserved for new Wal-Mart store locations.
that they can leave the responsibility of complying with these laws to their
cloud services providers. That’s why the opening of new cloud data centers
globally is occurring at a pace once reserved for new Wal-Mart store locations.
The chances are very good that, if you do your research,
you can identify a cloud services provider whose data center locations ensure
you comply with all applicable data sovereignty laws. Just as in real estate,
location is the first factor to consider regarding data sovereignty when
migrating to the cloud. A good place to start will be to check if your
potential service provider is certified against local standards. In Singapore,
this is the Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584, which
is the world’s first cloud security standard that covers multiple tiers of
cloud security. Having a level-3 certification for example, would mean that
they are certified to handle highly sensitive data such as patient records. A
list of Cloud Service Providers (CSPs) and certification level can be found here.
you can identify a cloud services provider whose data center locations ensure
you comply with all applicable data sovereignty laws. Just as in real estate,
location is the first factor to consider regarding data sovereignty when
migrating to the cloud. A good place to start will be to check if your
potential service provider is certified against local standards. In Singapore,
this is the Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584, which
is the world’s first cloud security standard that covers multiple tiers of
cloud security. Having a level-3 certification for example, would mean that
they are certified to handle highly sensitive data such as patient records. A
list of Cloud Service Providers (CSPs) and certification level can be found here.
Perform
your due diligence
your due diligence
The second is what’s in the fine print. Carefully review
your local laws and the SLA of your cloud contract. Then have conversations
with all applicable internal departments to gain an understanding of the root
causes of all data sovereignty concerns. When I work with a company on its
cloud migration strategy, and I am told that there is a government policy to
keep data out of the cloud, I ask for the specific wording. Often, if they
can’t provide that information to me, they haven’t done the research. So we
have to dig deeper.
your local laws and the SLA of your cloud contract. Then have conversations
with all applicable internal departments to gain an understanding of the root
causes of all data sovereignty concerns. When I work with a company on its
cloud migration strategy, and I am told that there is a government policy to
keep data out of the cloud, I ask for the specific wording. Often, if they
can’t provide that information to me, they haven’t done the research. So we
have to dig deeper.
Banning
the use of cloud invariably leads to a world of shadow IT that seeps into the
organization
the use of cloud invariably leads to a world of shadow IT that seeps into the
organization
I’ll ask: “Can you exchange email with entities outside of
your company or region? Do you store any data outside your company or country
with partners or suppliers? Do you use any other cloud services like
SalesForce.com, Box, NetSuite, Amazon Web Services, Microsoft Azure, etc.?” In
many cases, the answers to all three of these are “yes.”
your company or region? Do you store any data outside your company or country
with partners or suppliers? Do you use any other cloud services like
SalesForce.com, Box, NetSuite, Amazon Web Services, Microsoft Azure, etc.?” In
many cases, the answers to all three of these are “yes.”
Demand
vendor transparency
vendor transparency
This brings us to the third key consideration regarding
data sovereignty and the cloud: security and control. Often it’s not complying
with the laws that cause an enterprise to shy away from the cloud. Rather, it’s
the fear of no longer having complete control over who manages company
confidential data or personally identifiable information (PII) data. That’s not
to say there are no valid considerations with respect to data privacy. For
example, countries within the European Union (EU) have restrictions on the
transfer of PII data to countries outside of EU. In other cases, however, the
objective may simply be normative. The legal or HR team may be uncomfortable
with specific company information being kept outside of their entity.
data sovereignty and the cloud: security and control. Often it’s not complying
with the laws that cause an enterprise to shy away from the cloud. Rather, it’s
the fear of no longer having complete control over who manages company
confidential data or personally identifiable information (PII) data. That’s not
to say there are no valid considerations with respect to data privacy. For
example, countries within the European Union (EU) have restrictions on the
transfer of PII data to countries outside of EU. In other cases, however, the
objective may simply be normative. The legal or HR team may be uncomfortable
with specific company information being kept outside of their entity.
Therefore, choose a vendor who is transparent and you trust
to both ensure you are in compliance and will protect your data from prying
eyes. Look for these security and control capabilities when evaluating vendors:
to both ensure you are in compliance and will protect your data from prying
eyes. Look for these security and control capabilities when evaluating vendors:
·
End-to-end
encryption: Ensure the encryption of all data in-transit
across the Internet and stored at-rest in the cloud.
End-to-end
encryption: Ensure the encryption of all data in-transit
across the Internet and stored at-rest in the cloud.
·
You
hold the keys: Encrypt data on-premises before it ever
traverses the Internet to your cloud provider’s data center.
You
hold the keys: Encrypt data on-premises before it ever
traverses the Internet to your cloud provider’s data center.
·
Sophisticated
access controls: Role-based authentication and other
granular user controls that control what exact data each user can and cannot
see.
Sophisticated
access controls: Role-based authentication and other
granular user controls that control what exact data each user can and cannot
see.
Given the financial benefits, innovation, and momentum
behind cloud computing, packing up the cloud and going home seems an unlikely
outcome. We’ve seen enterprises try to govern with an iron fist and block the
use of cloud services – reminiscent of the enterprises a decade earlier that
tried to block the use of the Internet. Banning the use of cloud invariably
leads to a world of shadow IT that seeps into the organization and results in a
lack of resource control as well as data security and compliance issues.
behind cloud computing, packing up the cloud and going home seems an unlikely
outcome. We’ve seen enterprises try to govern with an iron fist and block the
use of cloud services – reminiscent of the enterprises a decade earlier that
tried to block the use of the Internet. Banning the use of cloud invariably
leads to a world of shadow IT that seeps into the organization and results in a
lack of resource control as well as data security and compliance issues.
Data sovereignty laws should not limit the adoption of
cloud-based services. In fact, it can have the opposite effect by compelling
cloud vendors to be transparent. Follow these recommendations to work through
data sovereignty concerns and make full use of modern cloud computing services.
Move out of that 1980s technology stack and into the world of the cloud – you
can get there with knowledge and a trusted vendor.
cloud-based services. In fact, it can have the opposite effect by compelling
cloud vendors to be transparent. Follow these recommendations to work through
data sovereignty concerns and make full use of modern cloud computing services.
Move out of that 1980s technology stack and into the world of the cloud – you
can get there with knowledge and a trusted vendor.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
