Working with cloud services is easy for most businesses. Public cloud services are just data centers and software someone else runs for you, reducing risks and giving you increased scalability. It’s no wonder that the cloud is at the foundation of most digital transformations. Where things get complicated is when you’re a regulated industry, dealing with data that’s subject to local and international regulations.
Unfortunately, that covers just about anyone who’s working with customer data, especially personally identifiable data, like credit card information. Things get more complicated when data crosses national borders, bringing in new questions about which data protection regulations apply. What started out as an easy way of adding storage and compute to data centers, or replacing expensive (and often unused) enterprise applications with a software-as-a-service subscription, is now much more complex – especially when it goes outside traditional IT procurement and operations channels.
CIOs and CSOs need to be aware of just what using the cloud means for their data, and how it needs to be managed and protected. What was best practice on-premises could well be a problem in the cloud.
There’s an apocryphal story of a CIO running to pull the ethernet connection of a marketing PC just before it uploaded a company’s entire customer database to a cloud service. It’s not something that anyone’s going to admit to, but it’s the nightmare many CIOs and CSOs have, watching data suddenly leave their control, putting the whole company at risk of significant fines. “But it’s safe in the cloud” is never a defense, once the regulator is involved.
Data regulations are complex things, and they vary dramatically from country to country, even when countries are part of a larger bloc, like the EU. Some laws, like the British regulations covering insurance and pensions, go back to the days of paper records, and make little or no distinction between paper and electronic data. The resulting minefield of rules and requirements need careful analysis and interpretation.
With GDPR on the horizon, data protection becomes an important part of the story. The twist here is that it’s not just a matter of where your data is stored, but also a matter of where it’s created, and by whom. Then there’s the chaos that’s the EU’s privacy relationship with the US, currently being reshaped through Privacy Shield.
The original vision of the cloud was of a place where data could flow from data center to data center, all over the world, replicating in many places so it would never get lost. You wouldn’t need to know where your data was stored, all you’d need would be a way to access it. There was no need for transparency, data would be there when you needed it, wherever it was stored. And it would never get lost, being copied across continents to ensure it would be safe at all times.
But the world isn’t that simple. It’s a mish-mash of different jurisdictions with different rules and claims on data, rules that might depend on where the data is stored, on who owns the servers that host it, or what type of data that’s being stored. So how can we prevent complexity, and reduce the risk of inadvertently crossing a data protection boundary?
That’s where the concept of data sovereignty comes into play; the idea that data can be kept in an appropriate jurisdiction. It’s an important part of the modern cloud, and one that’s essential for anyone trying to do business across multiple regulatory environments. By keeping data inside one region, using local data centers to handle redundancy (for example, Dublin, Amsterdam, and Munich for EU data, or London and Glasgow for the UK), we’re able to ensure it stays inside the right regulatory boundaries.
In some cases, cloud services will ensure data sovereignty through contracting ownership of their services to a local subsidiary, or even a third-party that’s resident in the country that hosts the data center. It’s an effective way of ensuring data is locked to its country of residence, with no fear of being handed over to government agencies or being used for purposes that aren’t covered by data protection legislation.
Locking data into specific regions is only part of the story. Cloud networking services can route connections to services based on geo-location; routing users to the appropriate instance of an application based on their location: if someone is coming from the UK, then they’re automatically given the IP addresses of the UK services, the same for someone from Germany, and for someone from the US. Once they’re connected to the appropriate service endpoint, then their data can be stored and managed in the appropriate regulatory environment.
Managing data is a big part of any digital transformation, and you need to be sure just what regulations apply; as getting things wrong can be very expensive indeed. If you know that can’t leave a specific jurisdiction, or even if you’re unsure, make sure your cloud provider lets you lock your data to a country or a region. New regulations, like GDPR, will make things more complex in the future, so it’s important to get things right now, not when the lawyers are knocking on your door.