The value proposition of cloud computing is highly compelling. The cloud offers rapid provisioning of low cost compute resources, decreased burden of capital expenditures and geographically dispersed workloads. Many global companies are eager to shift and often leap forward with migration projects only to be blocked when jurisdictional compliance rules for data are encountered. Shifting cloud strategies to address data sovereignty requirements can result in unplanned additional investments.
Data sovereignty regulations can complicate the delivery model that has made cloud computing attractive, presenting new concerns for companies operating in multiple countries. It’s often assumed that some workloads cannot leverage the benefits of the cloud without being impacted by jurisdictional concerns, so it helps to understand how best to address the issues of jurisdiction and computing across geographical borders in a way that supports varied demands from different applications.
Data sovereignty rules generally focus around the idea that digital data is subject to the laws or legal jurisdiction of the country where it is stored. However, many countries have concerns extending beyond basic export control of data, and will also look at where creation/processing occurs on that data as well as where and how it is encrypted.
What about governmental bodies attempting to protect information while utilizing the cloud? Germany, Israel and South Korea and a growing list of other countries all have highly restrictive data sovereignty laws & practices. When planning cloud migrations, it is wise to consider the implications up-front and, whenever possible, “Bake-in” steps for remediation to prevent unexpected rework and cost.
Know your data – Awareness of what will be stored in the cloud can require considerable analysis. Companies best prepared to be agile with their compute environments are those having a firm grasp on the nature of their data before migration.
- Data classification – Does your data include information that may have implications around personal privacy, sensitive financials, security, or company intellectual property?
- Scope of each classification – To what level or range of impact does the specific data to be migrated contain for each classification category?
Determine your risk tolerance – Depending upon the potential impact if a breech were to occur, companies should be ready to make judgements as to what they are prepared to handle for each data classification.
- Map classifications to include intended as well as potential use (or misuse)
- Weigh data use against international views and rules on privacy
Identify tolerable solutions for each classification – Develop and standardize acceptable methods of securing each type of data in a manner that will meet any sovereignty laws that may be applicable to you.
- Understand the sovereignty rules as well as any activity within the specific geography that may impact these rules.
- Architect to provide electronic evidence if breaches occur. In the event of an issue, preparedness for dealing with the problem can lessen its impact.
Technology advances at an ever increasingly rapid rate. However, jurisdictional regulation will always need to play catch-up. Data is the life-blood of many large organizations. Due diligence in understanding how it can be used and protected should not be an afterthought.