I grew up during the decades of the cola wars. Advertisements depicting “The Pepsi Challenge” were prevalent, and rumors of how Coca-Cola took great lengths to secure and protect their secret formula were wide-spread.

The protection of trade secrets is nothing new for businesses, but has become complicated by cloud computing. But as digital information increases, governments realize the need to protect their citizens’ personal data with the fierceness that Coca-Cola was said to protect their secret formula. Enter data sovereignty.

The principle behind data sovereignty is that digital information is governed by the laws of the country or state where it is located or where it originates. Data sovereignty is proving to be a huge challenge for today’s organizations looking to move their systems to the cloud - there is no official international or even national agreement that would provide a standard set of requirements across all countries.

This forces companies to navigate the international maze of privacy and data hosting laws which vary from region to region, some more strict than others. It adds a new level of complexity that many companies are not prepared to handle. Some companies may even feel that it would be an easier task to re-introduce New Coke or Crystal Pepsi.

Catch the wave

Organizations would be amiss to not take advantage of everything the cloud has to offer, including its financial benefits and innovative capabilities. While concerns around data sovereignty requirements are valid, they should not keep companies from migrating to the cloud.

When an organization decides to evaluate cloud services, they should determine:

  • If the company does business in a region that has applicable data sovereignty laws
  • What type of data those laws govern
  • What controls and governance can be implemented to ensure compliance to those laws

Data sovereignty laws vary from country to country. Countries known for having strict data sovereignty laws include France, Russia and Germany. These countries mandate its citizens’ personally identifiable information (PII) is stored on physical servers within the country’s physical borders.

In addition, certain industries within the U.S - such as government and healthcare - also demand the same level of stringencies. For instance, some federal agencies within the United States require their data be stored exclusively within the U.S.

In speaking with potential customers, I’ve found that most companies give up after asking this first question. They think that since there are applicable laws that they cannot use the cloud. Yet, when they realize that email is a form of the cloud, their mindset begins to change. As a result, knowing what type of data these laws govern is crucial. Many of the laws across the globe only apply to PII and financial data, which includes names, IDs, addresses, credit card information and so forth. Oftentimes the laws allow for other information that may be attached to this data to be stored elsewhere.

Once organizations understand these laws and what data they apply to, various controls can be set up so that the cloud can be used effectively. For example, only allowing citizens of the country that has data sovereignty laws to access the sensitive data within the country may be one control. A second may include on-premise encryption and ensuring that all data in-transit and at-rest is also encrypted with the keys residing in the country of origin. Yet a third may include a strategy to remove PII data for information that can be encrypted and stored elsewhere.

The choice of a new generation

Once the laws are identified, understood and governance controls are created, vendor selection can begin to take place. This choice is critical to ensure proper compliance. Often, I recommend that a summary review of local laws be presented to all vendors who are selected. A careful review of the service-level agreement (SLA) and the security and control processes from the cloud provider will also help ensure compliance.

A review of the service-level agreement should include ensuring the service provider and the locations of their data centers meet the requirements of local laws. The provider should have a large enough network, as well as be agile and flexible with respect to the physical location of the data to demonstrate compliance.

In addition, the provider should supply the right level of control that you and your organization are comfortable with. In particular, you should ensure you have complete control over who manages company confidential data or personally identifiable information (PII) data.

Finally, the vendor should have processes in place to ensure you are in compliance and be an active part of protecting the organization’s data. This should include ensuring the end-to-end encryption of all data in-transit across the Internet and of data when it is stored at-rest in the cloud. These keys should be kept on premise in pre-selected locations within the country of origin – such as a corporate data center.

The vendor should be able to provide sophisticated access controls including role-based authentication user controls. This ensures that only those designated employees within specified countries can access the required data.

Gotta Have It

By following these principles, organizations across the globe may realize the benefits of moving to the cloud. Migrating to the cloud will seem less daunting. They will have confidence that not only will they be in compliance with data sovereignty laws, but that their competitive trade secrets are also secure. They will have more trust and greater confidence in the cloud. And, who knows, maybe they’ll even have time to have a coke and a smile.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access