If your organization provides financial services, then you know that moving to the cloud isn’t easy. Concerns over cloud data sovereignty can make adoption a challenge.
There is, after all a lot to think about, especially on the regulatory compliance front. Many cloud application providers have data centers scattered across the world. This creates “difficult jurisdictional issues,” as former Secretary of Homeland Security Michael Chertoff wrote for SafeGov.org. Whose laws apply?
- The laws of the country in which the data originated?
- The laws of the country in which the cloud customer is based?
- The laws of the country, or countries, in which the cloud provider houses its data centers?
- The laws of the country in which the cloud provider is based?
- Or all of the above?
Where’s Your Data? Check out the cool infographic
Click on the image to zoom
Cloud Data Sovereignty: A Tangled Web
Share this Infographic On Your Site
Click Image to Zoom
There are no international standards governing data sovereignty or residency, just a tangled web of regional and national laws and international alliances. Cloud application providers may hand the information over more easily than your organization would. And on top of that, you’ve got to wonder whether letting a cloud application provider store your data offshore introduces new security concerns. Chertoff argues that it will, stating that offshore data storage significantly increases the risk of intrusion and insider threats. A lot to think about, indeed.
The problems aren’t insurmountable, though. In fact, taking just a few steps can greatly reduce or even eliminate your data sovereignty concerns.
The Gartner Research note, “Five Cloud Data Residency Issues That Must Not be Ignored” report recommends enterprises take steps to assure the privacy of sensitive information, achieve regulatory compliance and understand the implications of data disclosure laws.
According to the authoring analysts,
“…even if the data is encrypted and the keys are managed in a separate jurisdiction, enterprises should be aware that requests for legal assistance, based on bilateral agreements, may be executed between those countries. However, in a well-architected system, the cloud application provider does not have direct access to the keys. In this way, if a legal request is made for access to the data, the enterprise must be involved.”
Top 5 Best Practices to Eliminate Cloud Data Sovereignty Concerns
Many countries have passed national laws granting authorities access to enterprise cloud data that may conflict with the legal protection rights of data in the originating jurisdiction, leaving companies wondering how secure their data is and how compliant they are with regulations. Gartner’s research helps enterprises understand these risks and recommends the following best practices for eliminating data sovereignty concerns:
- Consider deploying encryption solutions if there are data residency concerns for data crossing borders
- Ensure that privileged users in cloud services providers are not granted access
- Manage the keys locally to comply with local privacy requirements
- Ensure that the selected vendor encryption products can provide the level of security, and operate in the different storage environments and locations as required
- Use a documented key revocation and destruction process
A Powerful, Seamless Solution
But if your data’s always encrypted, what happens to its usefulness? Depending on your encryption solution, it could be rendered useless, just a string of gibberish. Or it could retain its functionality and usefulness. CipherCloud, for example, has partnered with the world’s leading cloud providers to integrate our persistent encryption with their services for seamless functionality of encrypted data.
CipherCloud’s cloud information protection platform enables you to do just that by giving you full control of your enterprise’s encryption keys.
And to keep on top of what’s happening with your data, no matter where in the world it lives, make sure you have full visibility. “Control, management, and visibility” are among the top concerns when it comes to cloud data residency, according to GigaOM. That’s why CipherCloud offers powerful monitoring and visibility solutions to keep customers abreast of the status of their confidential data.
What are your organization’s cloud data residency concerns, and how do you plan to address them? Let us know in the comments.
Check out these related resources:
- Free White Paper: Managing Data Residency and Compliance in the Cloud Age – How to enable new cloud applications while maintaining control over your sensitive information
- Free eBook: What You Need to Know About Cloud Information Protection Solutions
This evaluation guide includes a handy “report card” and 5 critically important business and technical considerations you will want to understand