Dealing with sovereign data in the cloud

It’s Friday, and you’re about to close your laptop and go to happy hour, when you get an urgent e-mail stating that due to data being illegally transported out of the country, the company has been fined $250,000.  

What happened?

As bad luck would have it, your cloud provider backs up the database containing sovereign data to a storage system outside of the country. This is done for a good reason: Relocating data for business continuity and disaster recovery purposes to another region reduces the risk of data loss if the primary region is down. 

Of course, this is not the fault of the cloud provider. This is a common configuration error that occurs primarily because the cloudops team does not understand issues with laws and regulations around data. The database administrator may not have been aware it was happening. Lack of training led to this problem and the quarter million slap in the face.   

Data sovereignty is more of a legal issue than a technical one. The idea is that data is subject to the laws of the nation where it’s collected and exists. Laws vary from country to country, but the most common governance you’ll see is not allowing some types of data to leave the country at any time. Other regulations enforce encryption and how the data is handled and by whom. 

These were pretty easy rules to follow when we had dedicated data centers in each country, but the use of public clouds that have regions and points-of-presence all over the world complicates things. Misconfigurations, lack of understanding, and just general screw-ups lead to fines, impacts to reputations, and, in some cases, disallowing the use of cloud computing altogether.   

Some best practices are emerging to deal with data sovereignty in the cloud. Data governance systems are worth their weight in gold. When dealing with regulations that are bound to data, these systems will keep you out of trouble since they won’t allow humans to violate data policies that are set to reflect the law of the land where the data resides. 

Training is another critical point. Most of the data sovereignty issues can be traced to human error. Everyone handing the data should be knowledgeable on the regulations. Many countries mandate this.

Take advantage of security systems that are purpose-built to deal with data sovereignty issues. Identity-based security systems can deal with special security needs based on the identity of data, encrypt the data per regulations, and also ensure that it’s not transmitted out of the country or stolen in other ways.  

There’s no real magic bullet here. As countries get more particular about how their data is managed and the pervasive use of international public clouds continues, more issues are bound to arise. Enterprises are well advised to be proactive here, or else things can go sideways quickly.