By 2022, according to the World Bank, global internet traffic is expected to reach 150,000 GB of traffic per second, a 1,000-fold increase compared with the 156 GB in 2002. And some of that data will be governed by regulations specific to the region in which it originated. If you are a business whose data crosses borders via the internet, you are responsible for following regional regulations. You must be able to ensure—and demonstrate—that you are in compliance with the regulations of every market in which you do business. Failing to do so can result in hefty fines or worse. That, in a nutshell, is data sovereignty.
Data sovereignty generally refers to government efforts to prevent their citizens’ data from falling into the wrong hands via measures that restrict how businesses can transfer personal information beyond their country’s borders. Those measures can be in the form of regulations—think General Data Protection Regulation (GDPR) in the European Union, which regulates data privacy in the European Union and the European Economic Area as well as the transfer of personal data from those regions, or the California Consumer Privacy Act (CCPA), which gives citizens the right to know what personal information companies collect about them and how it is used and shared.
The proliferation of cloud computing has brought the topic of data sovereignty to the fore. With the exponential growth of data crossing borders and public cloud regions, more than 100 countries now have passed regulations concerning where data is stored and how it is transferred. Personally identifiable information (PII) in particular increasingly is subject to the laws and governance structures of the nation in which it is collected. Data transfers to other countries often are restricted or allowed based on whether that country offers similar levels of data protection, and whether that nation collaborates in forensic investigations.
As a business, you must know precisely where your data is stored and then take the necessary steps to ensure that you comply with the legislation that governs that region. You also need to ensure that your cloud provider offers tight security and has protocols to follow in case of a data breach, or in case you need to destroy any data.
This is where your choice of cloud technology and cloud service provider can make a huge difference in the life of your business—and your data.
Often conflated with data sovereignty, data residency refers to where your data is stored geographically for regulatory or policy reasons. For maximum flexibility, choose a cloud provider that defines a set of mutually exclusive data center regions around the world—and in some cases subregions as well. Your software-as-a-service (SaaS) subscription contracts should commit that your data remains within the selected data center region or subregion. This includes not just your primary database instance, but also any backups or data replicated to a disaster recovery pod, unless otherwise stated.
Most data are processed in various ways by being transmitted from either their storage location, or from a sensor or external source, to the Random Access Memory (RAM) and CPU of a compute instance or server. The result of the CPU processing is then typically written back to data storage. For that reason, choose a cloud provider who will commit to not only data residency in your region, but also to ensuring that all processing locations are within the region, and that transmission paths of the data do not transect region boundaries. For example, if you upload a file to your service, where is the anti-virus scan conducted? It need not be in your primary data center, but it should be in your region.
Independent of where your data resides and are processed, you might have concerns about who among your cloud provider’s personnel can access your data, and from where. Principles of legitimate need and least privilege have long since become standard in the industry. Granting only temporary access should also be standard, leveraging expiry policies for every entitlement to prevent aged, unused identities and entitlements from being exploited by hackers. Nationality and location based access controls are becoming more and more common, with location based access controls encompassing both work location, i.e. where you are pay-rolled, and geo-location, i.e. your physical location at the time of logon. Choose a cloud provider, who can provide controls commensurate with the sensitivity of your data and the laws and regulatory requirements you are subject to.
Your data typically reside in either a database or some form of block or object storage. They may contain regulated data (personal information, health information, credit card information, etc), or they may be sensitive in their own right (acquisition plans, proprietary designs, etc). That data can be reflected within derivative data sets in alternate locations within your cloud provider’s operations. Good cloud providers will ensure that your data are not cached on third party edge servers, for example. Nor should they be written into logs. But in the event of a server crash, a memory dump will most likely contain some of your data; whatever was being processed at the time of the crash. Choose a cloud provider who is willing to extend data protection measures, region restrictions and more to not just your data, but also to any derivative data that may contain reflections (copies) of your data.
Oracle offers several data sovereignty options, depending on your requirements, your industry, and your location.
Oracle SaaS@Customer: Oracle Cloud currently is available in 30 regions around the world, but even if it Oracle does not offer a data center location within your country, you can maintain in-country data sovereignty by subscribing to Oracle SaaS@Customer. Oracle delivers hardware to your data center and installs either the Oracle Fusion Cloud Applications, Oracle Enterprise Performance Management (EPM) applications, or both. Oracle perform system maintenance either remotely over the network or on site with dedicated personnel. This enables you to consolidate applications and databases on engineered, high-performance cloud infrastructure right in your own data center, maintaining sovereignty anywhere you choose.
SaaS for Dedicated Region Cloud@Customer: An evolution of Oracle’s Cloud@Customer offering, SaaS for Dedicated Region Cloud@Customer brings Oracle Cloud Infrastructure (OCI) to your home turf, including all of the Oracle public cloud offerings. This cloud environment is managed remotely by Oracle and kept in sync with Oracle’s own data centers, so you can have a consistent experience across both. And of course it provides you the coveted in-country data sovereignty.
United Kingdom Government Cloud: If your organization is part of the United Kingdom government, whether central or local, you may be eligible for hosting in Oracle’s United Kingdom Government Cloud. Partners, integrators, and suppliers of the UK government may be eligible for hosting in the UK Government Cloud as well, pending documented sponsorship by a central ministerial department. Systems and data hosted there are managed by, and accessed exclusively by, personnel that are UK nationals residing in the UK with at least security check clearance.
United States Government Cloud: If your organization is part of federal, state or local government in the United States, or in certain approved industries, such as hospitals, energy utilities, and education and research institutions, you may be eligible for hosting in the United States Government Cloud. Partners, integrators, and suppliers of eligible US government entities may be eligible for hosting in the US Government Cloud as well, pending proof of a qualifying contract relationship with the government entity. Systems and data hosted there are managed by, and accessed exclusively by, personnel that are US citizens residing in the US.
United States Department of Defense Cloud: If your organization is part of the United States Department of Defense, you may be eligible for hosting in the United States Department of Defense Cloud (PDF). Systems and data hosted there are managed by, and accessed exclusively by, personnel that are US citizens residing in the US.
European Union Restricted Access: In response to evolving requirements in the European Union (EU) and the European Economic Area (EEA), Oracle has prepared an EU Restricted Access (EURA) hosting environment, located in our Frankfurt and Amsterdam data centers, in which all service management is performed exclusively by EU-based Oracle personnel. Although the EU’s GDPR does not explicitly require data residency in the EU, many customers choose to have their service located in the EURA environment as a risk-mitigation measure, restricting not just data residency but also data access to ensure they are ready for potentially tighter regulation in the future. The European Data Protection Board’s proposed regulation (PDF) and the European Banking Authority regulation are key examples of evolving requirements affecting the European cloud computing market.
Break Glass and Key Management: Oracle Break Glass is an add-on offering that gives subscribers complete control of access to data in their Oracle Fusion cloud service. It randomizes the password and orchestrates an approval workflow for Oracle engineers seeking access to perform service management. Both Oracle management and customer representatives must approve before an engineer can receive temporary access. An audit trail is provided. With a customer-provided key, Break Glass can block any and all access by any Oracle personnel.
In addition to the specific offerings above, Oracle continuously works to ensure our data protection technology, methodology and processes meet the needs of all our customers. If you have other questions regarding SaaS security at Oracle, please know that you have access to our completed Consensus Assessment Initiative Questionnaire (PDF) offering answers to a multitude of common security questions.