Data Sovereignty: Fear, Uncertainty And Doubt

Posted by Philip Bindley

Phillip Bindley at The Bunker, explains why compliance with data sovereignty laws is not necessarily a given with global Cloud providers.

Data sovereignty: fear, uncertainty and doubt

In the world of Cloud computing, it’s raining datacentres. After France, Germany and several other governments proposed new data sovereignty laws that require all information to be stored locally, public Cloud providers have been racing to catch up. Governments have become increasingly concerned by the Cloud’s ability to move data outside their jurisdiction to locations where data protection laws are less stringent, or different rules apply.

Today, major players like AWS, IBM, VMware and Microsoft are all clambering over each other to reassure customers by building new data centres throughout the EU to comply with local data sovereignty laws. Meanwhile, with EU General Data Protection Regulation (GDPR) now firmly on the horizon and potential penalties of 2% of global revenue for companies that fail to comply, data governance has again been thrust onto the Board’s agenda.

Is your data safe?

Following the PRISM scandal and the United States’ controversial Patriot Act, many businesses are rightly concerned that their Cloud providers may hand over sensitive data if access is requested by government agencies in other nations.

Even as we speak, Microsoft is fighting a US Federal Warrant to hand over customer data stored in Ireland. This isn’t a one off. In the six months to June 2014, Microsoft received over 34,000 information requests from law enforcement agencies in more than 65 countries. In over 75% of these cases, customer data was released.

There’s no doubt this is weighing on the minds of UK businesses. A recent study by Vanson Bourne found that 86% of enterprise customers believe it’s important for business-critical data to be stored with a UK-based Cloud service provider to ensure data sovereignty. Similarly, it’s no secret that British MPs have serious concerns over data offshoring.

These fears have given impetus to today’s national Cloud storage strategy, but will this approach actually keep your data safe? Most likely no. If your Cloud is provided by a foreign megacorporation, your data can still be subject to the influence of foreign governments – at least according to recent rulings by the US courts.

Global Cloud providers also need robust safeguards in place to ensure that data is never transferred to their other data centres worldwide accidentally. Your primary data may be stored in the UK, but what if your Cloud provider back-ups or archives information in another country? Your supposed data sovereignty can be completely negated at the click of a button. Once again, it seems the flexibility and low cost of public Cloud storage comes at the expense of security and compliance.

Caveat emptor

When considering a Cloud provider, always ask about their visibility into where your data is actually stored, as well as where backups and archives are kept. You should also discover where your provider is registered and headquartered as a business, since this will greatly determine which laws your information will be subject to. Any responsible Cloud provider will happily work with you during this process to guarantee your data sovereignty requirements are met.

However, the only way to address data sovereignty concerns once and for all is to choose the private Cloud, or ensure your information is stored and managed by a national company. At a national level, specialist Cloud providers can address both data sovereignty concerns and ensure security, compliance and high availability. Today, the reality is that no global Cloud provider can deliver similar peace of mind for your critical data.

Encryption is also an important factor to consider here, not just to ensure the security of your data, but to shield your business from data access requests. New storage techniques, such as object-based storage, can allow businesses to take advantage of the flexibility and cost-effectiveness of the public Cloud, while ensuring inherent security, by encrypting data both in transit and at rest. Provided the customer keeps at least one encryption key onshore, the Cloud provider would be unable to handover access to a foreign government or agency.

A stormy outlook

With so much fear, uncertainty and doubt surrounding data sovereignty, the weather forecast for the public Cloud looks stormy for some time to come. For the moment, organisations need to ensure that they select the right provider for their needs. Above all, it’s crucial not to let the dream of cheap Cloud storage today turn into tomorrow’s business nightmare.