Digital technology trends show that organizations and governments around the world are harnessing the agility and cost savings of cloud technology and adopting a cloud-first strategy for their IT workloads. As cloud maturity continues to accelerate, so has legislation and the policies governing cloud technology, leading to increased emphasis on data sovereignty, and for a good reason. The cloud hasn’t just changed how we use technology. It’s changing how we think about it.
In the past decade, the European Union (EU) has led the way in passing data privacy legislation, namely the General Data Protection Regulation (GDPR), which lays out comprehensive requirements for organizations that collect and process the personal information of individuals in the EU. The combination of rapid cloud adoption and legislation like GDPR has been a catalyst for policy groups and governments worldwide when it comes to safeguarding their citizens’ most valuable resource: Data.
Data sovereignty is a complex topic, and the definition and applicability can vary by region, but a central theme of data sovereignty is empowering organizations and individuals to retain more control over their data. Often discussed as a singular item, we believe data sovereignty is achieved in multiple ways. The following examples contribute to a strong data sovereignty strategy:
Choice of location: The physical location where the data is stored
Cloud isolation: Physical, logical, and network separation to limit sharing of data
Access management: Control over access to your data and the underlying infrastructure, both by limiting access and ensuring data availability and portability for those you authorize
Operations personnel requirements: Restriction of operations and support to personnel meeting specific security clearance, citizenship, or residency requirements
Transparency in data access decisions: Handling and reporting on extraterritorial law enforcement requests for data access, including interactions with local authorities
Enhanced hardware and software security: Use of capabilities, such as a hardware security module (HSM), encryption, and confidential computing
In this blog series, we examine these and other critical aspects of data sovereignty in the cloud. Let’s start by looking at the choice of location, its implications, and the available options.
Data location and its impact on data sovereignty
Having the ability to choose the geographic regions where your organization stores its data is an important way to retain control over your data. Consider the following key factors in determining the appropriate cloud deployment model for your organization’s objectives:
Data classification: Determine the type of data you plan to store in the cloud based on your business standards and any applicable regulations.
Data storage: Determine if your data is subject to any geographic restrictions. Under some data protection regulations, sensitive data might need to be stored within the geographic boundaries of a country or region.
Data availability: Maintain uninterrupted access to data and services that can be vital to business operations, government functions, or public infrastructure security.
The choice of location for your data can help you meet your data storage and data availability needs in line with data processing and data transfer requirements under applicable data protection laws.