Data Sovereignty: What You Need to Know About Global Data Sharing Responsibility
Data sovereignty will become a growing concern. Companies need to start adjusting cloud strategies appropriately now to meet evolving regulatory demands.
25 November 2015
Data sharing is essential to foster business productivity, but with freer sharing comes regulatory concerns — namely around data location.
Data sovereignty is about taking ownership and responsibility of the mission-critical business data we rely on every day to operate. Most importantly, it is about the jurisdiction where the data resides and its legal, regulatory, and tax rules that businesses must adhere to for compliance purposes. The jurisdictions can be overlapping, thus creating challenges to businesses, users and vendors. As one sifts through the complexities, the root of concern is mostly around cloud applications and data location.
Protecting the Perimeter Isn’t Enough
In the past, organizations focused on protecting the perimeter — confidential information stayed within the physical walls, the firewall of an organization.
Adoption of cloud technologies has done away with the geo-political boundaries and created borderless workflows. People are sharing content internally, externally with vendors or customers, and globally on various devices. Meaning that when companies share information in today’s digital world, there are no longer any physical boundaries — which makes data location difficult to pinpoint.
In the New World Where Content is the Perimeter
In this environment, each file needs its own perimeter. However, some businesses struggle to maintain security and compliance. So, what aspect of data location is primary? Physical, where the data is stored? Legal, where the contract is signed? Political, where a cloud vendor is headquartered? Or logical, where control over data access is maintained?
The answer is still up in the air, but a sensible approach includes designing systems, processes, and technologies in which organizations can verify where data is stored, being processed, or consumed at any point. While some may consider this to be an issue for U.S. companies only, this Forrester Consulting study speaks to how organizations across the globe may face challenges managing the patchwork of varying country data sovereignty requirements:
- Protecting information and documents stored outside the regulating country
- Providing regulatory access to information stored outside the regulating country
- Certifying data residency inside and outside the regulating country
- Complying with current and emerging European Union (E.U.) data privacy regulations
Safe Harbor’s Impact on Business Collaboration
Safe Harbor, a ruling that allowed the E.U. to share information with the U.S., was designed to address the data sovereignty issues listed above, but with its demise, businesses need to go back to the drawing board. Under the new ruling, ‘what it will mean to stay compliant’ may not be clearly transparent or communicated to companies. For example, encrypting data at rest in a certain country pins the data to that location. Data is not leaving the jurisdiction if all users and devices accessing this data are local. But how does the vendor maintain compliance if a user from another country needs access? Or if a local user with access carries a mobile device across borders? This creates legal complications considering that non-compliant data flow can’t be stopped at any time — companies will need to implement new measures to avoid complete business disruption.
The good news is that companies are being forced to discover where all of their data is and how is it being processed by all parties, including third-party processors that may impact compliance. Businesses have to take a hard look at where their valuable data is stored and shared and how is it protected to avoid data loss and non-compliance. Data sovereignty forces organizations to employ good data governance and regain control over data that might have been eroded by employees using consumer applications.
The bad news is that this introduces new challenges and requirements for organizations that want to share content across locations. Providers will most likely transfer back to the companies using services all cost increases related to new compliance requirements.
Solving the Compliance Challenges of Data Sovereignty
Technical solutions must cover the whole content lifecycle — data at rest, in motion, and in use. This is an all-or-nothing proposition, as having only one aspect of the lifecycle covered will not maintain compliance.
To prove compliance, from the data owner’s point of view, a cloud vendor must be able to demonstrate control over their data at all three points in the content lifecycle.
Data sovereignty is in its infancy and will only become a growing concern. Organizations need to start adjusting cloud strategies appropriately now to meet evolving regulatory demands.
Stay tuned for my next post in this series, which will go into detail about the technical issues associated with data sovereignty and the resolutions to the questions I presented above around sharing data across locations.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.