Intralinks' Approach to Data Sovereignty Compliance
Data sovereignty is a concern for compliance, privacy and legal teams who are responsible for ensuring the enterprise meets its regulatory obligations.
9 March 2016
Data sovereignty is a critical emerging topic that addresses which legal and regulatory jurisdictions particular cloud-hosted information is subject to, and how vendors, customers and users can manage these overlapping jurisdictions. It's a growing concern for compliance officers, privacy officers, and legal teams whose responsibility it is to ensure the enterprise meets its regulatory obligations. This task is a challenging one as organizations put more data and information into the cloud while the global landscape for data privacy continues to evolve. Those involved must ask the questions, "Where is our data, is it safe, and are we compliant?"
While not a new subject of interest, data sovereignty is garnering much more attention now that the final text of the European General Data Protection Regulation (GDPR) has been released. This regulation contains provisions that give a data subject (i.e., the individual to whom the data pertains) the right to control what happens to his data. This makes it necessary for a data controller to know where that data is.
According to the Ovum research report "Data Privacy Laws: Cutting the Red Tape," there is considerable confusion over how enterprises should and can address how and where data is stored in the cloud. Cloud computing has broken down traditional geo-political walls. For example, data that originates in a particular country can end up spread across the globe as the cloud provider stores and replicates the data in geographically dispersed data centers. The enterprise with ownership of that data may not even know where it is — but is still responsible to take the appropriate steps to assure compliance with residency requirements. Verifying data location can be difficult and requires enterprises to trust cloud providers.
Then there is the question of what decides who has jurisdiction over the data? Is it the location of the owner of the content? How about the location of where the content is stored? Perhaps it should be the location of the company that owns the storage where the content is stored. Or maybe the location of the individual about whom the content may pertain. (This latter condition seems to be the condition favored by the EU's GDPR.) There's no clear answer, which makes it hard for enterprises to respond with a consistent data residency strategy that universally addresses all the potential permutations.
As a SaaS provider that enterprises trust with their most sensitive information, Intralinks has a multi-layered approach that helps our customers develop and execute a data sovereignty strategy that is flexible enough to meet varying residency requirements. There are three aspects to the Intralinks offering: Information Rights Management, Customer Managed Keys, and Distributed Content Nodes. Let's take a look at each of these elements.
Intralinks Information Rights Management (IRM) is a subset of digital rights management (DRM), technologies that protect sensitive information from unauthorized access. IRM operates under the notion that content is the new security perimeter. That is, security is embedded directly into a document and it stays with that document for its lifetime. Some of the key features include:
- Dynamic end-to-end control: The owner of a document can set and manage the document permissions, such as view, print and edit, regardless of the access device or the storage location.
- Expire documents remotely: This full document control can render documents inaccessible at any time or location.
Intralinks IRM is plugin-free; that is, no software has to be downloaded in order to use it. Moreover, IRM doesn't need any IT management. With Intralinks Information Rights Management, an enterprise can protect the private information in documents by explicitly specifying who can access the document and what they can do with it. These permissions can be revoked at any time to help maintain data sovereignty requirements.
A second layer of data protection is Intralinks Customer Managed Keys (CMK). It's generally accepted that encryption is an effective technology for protecting data, but the matter of who holds the encryption keys — especially when information is stored by a cloud service — is critical. CMK is a unique combined hardware/software solution that provides customers full and sole control over the ability to manage the encryption keys used to protect their data in the cloud.
Some risk averse customers see holding encryption keys as a viable alternative to an on-premises solution. A business case can also be made that by controlling the encryption keys themselves in a specific geography, customers may relax their risk tolerance for geographical data storage; the data may be stored anywhere, but the keys required to decrypt it are kept in country. This gives customers the ability to have the data under their control, in whichever location is necessary to satisfy data sovereignty requirements.
And a third layer of protection is known as Distributed Content Nodes, which Intralinks’ next generation platform will deliver. This is, essentially, a hybrid cloud approach in which Intralinks manages the application while giving the customer the control to determine where data is stored and processed.
Intralinks Distributed Content Nodes will provide the best of both worlds: SaaS economics and functionality, combined with tools for controlling where content is stored and processed. This will enable the customer to address country data protection regulations and support enterprise risk management policies.
We're happy to talk to you in-depth about how these three elements can help meet your own organization's requirements for data sovereignty. Contact us to arrange a discussion.
Deema Freij is SVP, Deputy General Counsel and Global Privacy Officer, based in Intralinks’ London office. Deema oversees global data governance within the company and is responsible for further strengthening the company’s worldwide focus on data privacy and the regulatory demands placed on its customers. Deema brings almost two decades of experience in the legal profession. Prior to joining Intralinks in 2011 as Legal Counsel, EMEA & APAC, she spent seven years as a legal consultant.