3 things companies must know about data sovereignty when moving to the cloud

810 readers like this.
CIO Cloud 1

I hear it nearly every day – the lament of teams trying to transform their enterprise from '80s-era software to the cloud: “Our state (or country, or regional authority) says that data can never leave our jurisdiction, which means we can’t store it in the cloud.”

It’s true that data sovereignty presents technical and legal challenges when moving on-premises systems and information stores to the cloud. There is no United Nations resolution, European Union mandate, or international trade agreement that provides one blanket set of data sovereignty requirements that all countries follow. Privacy and data-hosting laws vary by country and state, and some are more strict than others.

The thought of trying to navigate this international legal maze sounds complicated and time-consuming. It doesn’t have to be. The solution is not to delay or cancel cloud migration efforts, but rather to examine three key considerations at the outset: where your data will reside, what’s in the fine print, and whether your cloud services providers are transparent.

We’ve seen enterprises try to govern with an iron fist and block the use of cloud services – reminiscent of the enterprises a decade earlier that tried to block the use of the Internet.

Enterprises are increasingly adopting cloud-based services in order to take advantage of the many business benefits of not having to purchase, manage, upgrade, and replace systems and applications. Of course, all that data still has to “live” somewhere. But because a primary goal of using cloud computing is to create anytime-anywhere access to information and systems, most customers don’t give much thought to where their data is stored. That needs to change. 

Location, location, location 

The strictest data sovereignty laws, like those in Germany, France, and Russia, mandate its citizens’ data is stored on physical servers within the country’s physical borders. There are even some specific industries – governments come to mind – that demand the same. For example, certain United States federal agencies require their data be stored exclusively within the United States.

The good news for enterprise IT and legal departments is that they can leave the responsibility of complying with these laws to their cloud services providers. That’s why the opening of new cloud data centers globally is occurring at a pace once reserved for new Wal-Mart store locations. 

The chances are very good that, if you do your research, you can identify a cloud services provider whose data center locations ensure you comply with all applicable data sovereignty laws. Just as in real estate, location is the first factor to consider regarding data sovereignty when migrating to the cloud.

Perform your due diligence

The second is what’s in the fine print. Carefully review your local laws and the SLA of your cloud contract. Then have conversations with all applicable internal departments to gain an understanding of the root causes of all data sovereignty concerns. When I work with a company on its cloud migration strategy, and I am told that there is a government policy to keep data out of the cloud, I ask for the specific wording. Often, if they can’t provide that information to me, they haven’t done the research. So we have to dig deeper. 

Banning the use of cloud invariably leads to a world of shadow IT that seeps into the organization

I’ll ask: “Can you exchange email with entities outside of your company or region? Do you store any data outside your company or country with partners or suppliers? Do you use any other cloud services like SalesForce.com, Box, NetSuite, Amazon Web Services, Microsoft Azure, etc.?” In many cases, the answers to all three of these are “yes.” 

Demand vendor transparency

This brings us to the third key consideration regarding data sovereignty and the cloud: security and control. Often it’s not complying with the laws that cause an enterprise to shy away from the cloud. Rather, it’s the fear of no longer having complete control over who manages company confidential data or personally identifiable information (PII) data. That’s not to say there are no valid considerations with respect to data privacy. For example, countries within the European Union (EU) have restrictions on the transfer of PII data to countries outside of EU. In other cases, however, the objective may simply be normative. The legal or HR team may be uncomfortable with specific company information being kept outside of their entity. 

Therefore, choose a vendor who is transparent and you trust to both ensure you are in compliance and will protect your data from prying eyes. Look for these security and control capabilities when evaluating vendors: 

  1. End-to-end encryption: Ensure the encryption of all data in-transit across the Internet and stored at-rest in the cloud. 
  2. You hold the keys: Encrypt data on-premises before it ever traverses the Internet to your cloud provider’s data center. 
  3. Sophisticated access controls: Role-based authentication and other granular user controls that control what exact data each user can and cannot see.

Given the financial benefits, innovation, and momentum behind cloud computing, packing up the cloud and going home seems an unlikely outcome. We’ve seen enterprises try to govern with an iron fist and block the use of cloud services – reminiscent of the enterprises a decade earlier that tried to block the use of the Internet. Banning the use of cloud invariably leads to a world of shadow IT that seeps into the organization and results in a lack of resource control as well as data security and compliance issues. 

Data sovereignty laws should not limit the adoption of cloud-based services. In fact, it can have the opposite effect by compelling cloud vendors to be transparent. Follow these recommendations to work through data sovereignty concerns and make full use of modern cloud computing services. Move out of that 1980s technology stack and into the world of the cloud – you can get there with knowledge and a trusted vendor.

Allan Leinwand is chief technology officer at ServiceNow.  In this role, he is responsible for overseeing all technical aspects and guiding the long-term technology strategy for the company.  


There should be some law that is accepted internationally like the UN Charter, similarly for data soverereignty