Data sovereignty requirements are pushing IT leaders to adopt hybrid cloud or local cloud service providers as an alternative to the Big 3 cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
Nearly all — 98% — respondents to a Scality survey of IT decision-makers across the United States, France, Germany, and the UK said they already have data sovereignty policies in place or have plans to implement them.
What Is Data Sovereignty?
Data sovereignty is a term used to describe a variety of requirements to retain specific data within approved geographical or legislative borders where the data was collected or created.
Most of these requirements are enacted by governments (individually or collectively) through privacy laws and treaties, but can also be contractual in nature, requiring organizations to retain data within the approved national boundary or within the borders that have certain agreements or similar control environments in place.
"IT leaders should be aware that data sovereignty requires ongoing monitoring and compliance."
— Gopi Ramamoorthy, senior director of security and GRC, Symmetry Systems
A similar concept is data localization, requiring organizations to maintain local copies of data.
Four in 10 of the survey respondents said they will primarily store their data on a large public cloud, such as regional offerings by AWS, Azure, or Google Cloud, while 36% of respondents said they will deploy a combined on-premises/public cloud solution (hybrid cloud).
As with any current or new legislative or contractual requirement, the first challenge is always awareness and understanding of impact, according to Gopi Ramamoorthy, senior director of security and GRC (governance, risk, and compliance) at Symmetry Systems.
This usually requires some level of consulting with legal or other subject matter experts to fully understand the requirements before assessing the current status quo — particularly for new regulations or contracts.
"As the next step, they need to architect the systems or enforce data-level controls to retain the data within the approved geo boundaries," he said. "Importantly, IT leaders should be aware that data sovereignty requires ongoing monitoring and compliance."
At present, many of the data sovereignty requirements are derived from restrictions on cross-border transfers embedded within modern privacy laws, such as the EU's General Data Protection Regulation (GDPR).
Gartner predicts that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world's population.
"Internet and data sovereignty has social and economic ramifications. Countries seek to commoditize data while also using it to expand their foreign and domestic influence."
— Davis McCarthy, principal security researcher, Valtix
In the U.S., the prospect of a federal privacy law and changes to individual state laws such as the California Consumer Privacy Act (CCPA) will likely have some implications on how the adequacy of the U.S. privacy laws under the Trans-Atlantic Data Privacy Framework is considered.
Due to geopolitical changes in the landscape the last few years, a set of countries are joining the bandwagon of creating new data sovereignty, data residency, and data localization laws to protect their own interests and encourage local emerging tech industries, according to Ramamoorthy.
Cloud Providers' Struggles with Data Sovereignty
Cloud service providers will be challenged to implement, monitor, maintain, and also adopt at the speed of the change of data sovereignty regulations, Ramamoorthy said.
Whether it's nation-state espionage, concerns about user privacy, or evolving compliance standards, governments and their citizens are raising concerns about who is accessing their data, what their intentions are, and how detailed the content of that data is, said Davis McCarthy, principal security researcher at Valtix.
"Internet and data sovereignty has social and economic ramifications," he said. "Countries seek to commoditize data while also using it to expand their foreign and domestic influence."
Over the next few years, geopolitical tensions in cyberspace will continue to escalate and shape how private companies do business, McCarthy said.
"It's much like what we've seen with the U.S. raising national security concerns about TikTok or Russia mandating that data be siloed within its borders," he added.
How Cloud Providers Are Handling Data Sovereignty
Although the shared service responsibility model that most cloud service providers have adopted specifically excludes responsibility for the security and compliance of data, many cloud service providers have clearly defined zones and segmented regional data centers to deal with data sovereignty at the infrastructure layer in response to customer requirements, Ramamoorthy said.
"In addition, the cloud service providers have supported their customers by meeting as many requirements as possible and maintaining them for their customers," he added.
Organizations can take advantage of these well-implemented zones and verified/certified regional cloud data centers to meet many common data sovereignty requirements.
The interoperability within these cloud service providers can help multinational companies reduce the complexity of understanding the geolocation of data within the cloud service providers' regions and ensure that data is not stored outside the required boundaries, Ramamoorthy said.
"In addition to using the zones and regional data centers provided natively by cloud service providers, organizations should invest in emerging hybrid-cloud-native tools like data security posture management to ensure the data security and compliance and regulatory requirements are met within their cloud environments at the data object layer," he said.
About the authorNathan Eddy is a freelance writer for ITPro Today. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin.