Tuesday, January 31, 2023

Keeping your data sovereign in a multi-cloud world

The public cloud services market continues to expand, having grown 29% year over year in 2021, according to IDC. The large-scale growth of cloud computing services, coupled with new approaches to data storage, have broken down traditional geographic barriers more than any previous technologies.

With this reality comes a rise in concerns about data sovereignty and data residency – the former referring to the concept that digital information is subject to the laws of the country in which it’s located. More and more, this issue is coming to the forefront for organizations as they consider the best way to store their data. But it doesn’t have to be a choice between secure, convenient data storage and data sovereignty.

The problem with data sovereignty

There are two issues at play here, one of which is the data’s location. If you’re in the UK and you put data into the AWS US-East-1 instance, that’s in Virginia and, therefore, likely subject to regulations like the U.S. Patriot Act. Similarly, if you put it in an AWS instance in Sydney, it’s potentially under the purview of the Australian Signals Directorate. In other words, the host nation may have rights to access the data.

Let’s say your company is based in Ireland and you put data into a public cloud instance in Ireland, like an AWS instance. Then it would seem that all is well. You’re in Ireland, which is a sovereign country. Well, not exactly. In theory, that data is subject to the privacy and compliance laws of the U.S. because the cloud provider is headquartered in the U.S. – which means it could be reviewed or interrogated by agencies there under the U.S. Patriot Act.

Another question to consider is: What does the organization that owns the servers have the rights to? Let’s say a company in the UK puts data in Ireland (eu-west-1) using Amazon. Because Amazon is a U.S. entity, the Patriot Act applies, but it’s also possible that some Irish rules apply, too.

Many countries have now enacted legislation that requires organizations to keep their customer data within the country the customer resides – but that’s easier said than done, given how public cloud providers work and where their servers are located.

Storing data and keeping it sovereign

This issue also goes to data residency, which strictly refers to the physical or geographic location where your organization’s data is located, not necessarily the laws that govern it – that’s the sovereignty part.

When you put your data into a public cloud, you give up a certain level of control of your data, from both the residency and sovereignty perspectives. And it’s a trade-off, of course; for many organizations who decide to move to the public cloud, that loss of control comes with the scalability and flexibility that the public cloud offers.

As many organizations have pushed migration to the cloud – particularly with the need to enable remote work – many probably weren’t thinking about the full implications here. They just needed to get their information into the public cloud, and the public cloud does offer many benefits.

But increasingly, organizations and entities are re-thinking this approach, and data sovereignty is becoming more top of mind. In fact, Microsoft recently introduced a new cloud and data sovereignty service aimed at the public sector that promises to tackle this situation.

What if you didn’t have to sacrifice control or sovereignty over your own data in order to reap the other benefits of the public cloud, such as scalability and flexibility?

The promise of the on-prem private cloud

With an on-premises private cloud, your data is yours and it remains in your data centers. No one else can get access to it unless you authorize it. You can share that data with another department in the same company, or even a different company; it’s completely your choice.

This approach enables you to have both more security and more control over your own security. In a survey by the Cloud Security Alliance,  31% of respondents said they were not confident or only slightly confident about their ability to protect sensitive data in a cloud environment. An additional 44% reported they were only moderately confident.

Repatriation efforts are still largely being driven by cost, but we are seeing organizations gain other benefits, as well.

Is a private cloud for you?

As more and more organizations have moved to the cloud and the public cloud market grows larger, data or digital sovereignty is growing in importance. International regulations can require access to your data and that of your clients. This can get very messy, very quickly in the public cloud.

But what if you didn’t have to choose between the benefits of the public cloud and the desire to maintain control or sovereignty over your data? Today, that’s an option via the on-premises private cloud model. Use the information above to help you determine what configuration will best serve you and your customers.