This blog is part 1 of our multipart series on data sovereignty in the cloud.
Digital technology trends show that organizations and governments around the world are harnessing the agility and cost savings of cloud technology and adopting a cloud-first strategy for their IT workloads. As cloud maturity continues to accelerate, so has legislation and the policies governing cloud technology, leading to increased emphasis on data sovereignty, and for a good reason. The cloud hasn’t just changed how we use technology. It’s changing how we think about it.
In the past decade, the European Union (EU) has led the way in passing data privacy legislation, namely the General Data Protection Regulation (GDPR), which lays out comprehensive requirements for organizations that collect and process the personal information of individuals in the EU. The combination of rapid cloud adoption and legislation like GDPR has been a catalyst for policy groups and governments worldwide when it comes to safeguarding their citizens’ most valuable resource: Data.
Data sovereignty is a complex topic, and the definition and applicability can vary by region, but a central theme of data sovereignty is empowering organizations and individuals to retain more control over their data. Often discussed as a singular item, we believe data sovereignty is achieved in multiple ways. The following examples contribute to a strong data sovereignty strategy:
- Choice of location: The physical location where the data is stored.
- Cloud isolation: Physical, logical, and network separation to limit sharing of data.
- Access management: Control over access to your data and the underlying infrastructure, both by limiting access and ensuring data availability and portability for those you authorize.
- Operations personnel requirements: Restriction of operations and support to personnel meeting specific security clearance, citizenship, or residency requirements.
- Transparency in data access decisions: Handling and reporting on extraterritorial law enforcement requests for data access, including interactions with local authorities.
- Enhanced hardware and software security: Use of capabilities, such as a hardware security module (HSM), encryption, and confidential computing.
In this blog series, we examine these and other critical aspects of data sovereignty in the cloud. Let’s start by looking at the choice of location, its implications, and the available options.