What enterprises need to know about data sovereignty and data custody

by

3 September 2015
Bob Butler of IO

Since former NSA contractor Edward Snowden released a trove of documents revealing the large-scale collection, analysis, and storage of personal data and the subsequent discussions about the practices of big commercial data aggregators, “data sovereignty” and “data custody” have become a greater concern for enterprises and individuals.

For the uninitiated, data sovereignty is the question of which country’s laws govern your data. The concept is often taken to mean that your data is subject to the laws of the country in which it is located, but that may not be the case; data sovereignty may instead mean that the data is subject to the laws of the country in which it originated, or the laws of the cloud provider’s sovereign, the country in which the provider is headquartered. In the cloud, data sovereignty can become an issue because different countries have different laws governing the collection, use, storage, and transmission of data within their borders regardless of where it originated. Data custody is about who controls your data; essentially, who has the right – or the obligation – to hand it over if a government comes knocking.

The issues for enterprises are: If you don’t know where your data is, and if you don’t know who controls it, you’re putting the security of your enterprise data, and your customers’ data, at risk. If you don’t know where the servers that hold your data are, you don’t know whose rules you might be beholden to. This also means you cannot reconcile jurisdictional laws in that location with your corporate policies. This exposes your organisation to issues such as non-compliance.  The truth is, if your data is held in the databases of the large commercial cloud providers, the likelihood is very small that you even know where your data is, much less have control of it.

See and control your data

Where your data resides and who controls your data matters. Addressing critical data sovereignty and data custody issues is about making fully informed business decisions, such as which geographic or political jurisdictions you want your IT infrastructure to reside in. You may also need to decide which infrastructure model best suits both your needs and the data sovereignty and data custody particulars of the jurisdiction you have chosen. Finally, you should decide the types of security processes and due diligence procedures that need to be put in place to ensure the greatest security and privacy for your data.

Making those fully informed decisions requires that you answer the following questions:

  • Are the laws of the given jurisdiction in sync with your corporate policies and your home jurisdiction’s data laws?If the answer to that question is no, you may not want IT infrastructure in that location, or you may want to operate under tighter control with more robust security than you might otherwise deploy. In this case, your best IT infrastructure solution might be on-premises or off-premises private cloud and end-to-end encryption to secure the data in transit.
  • Is your cloud provider capable of accommodating the laws of the countries in which you do business? If the answer to that question is no, and you want to do business in that given location, you’ll have to figure out how to comply with the local laws. In this case, your best IT infrastructure solution might be colocation in a local data centre or any-premises private cloud.
  • Do any of the locations in which you do business require you to keep their citizens’ data in-country? If the answer to that question is yes, and you want your company to do business in that location, you have to figure out a way to keep the data in-country. In this case, your best IT infrastructure solution might be colocation in a local data center or any-premises private cloud.
  • Are you prepared to protect enterprise data and government data even in the face of surveillance programs that you’re not aware of? Without knowledge of these programs, it’s impossible to make informed business decisions. So in the face of potential secret programs, pre-emptive measures may be necessary. In this case, your best IT infrastructure solution might be any- premises private cloud and end-to-end encryption to secure the data in transit.
  • Do you know, and are you comfortable with, what your cloud provider would do if the government of any of the countries in which your enterprise data is running or stored asked your cloud provider to turn over your data? There are many reasons an enterprise would decide to use a large cloud services provider. But there are risks that must be accounted for and mitigated. Choose the public cloud after rigorous due diligence but make sure that data is encrypted before it leaves hardware you control and that you or trusted partners exclusively control the encryption keys. Another alternative is any-premises private cloud.

In all of the countries where you do business, are you aware of – and can you accommodate – laws and regulations to keep customer data only within that country’s borders?

If you answer “yes” to this question, you can be confident that you can comply with all applicable laws and regulations. You’ll know – and be able to control – whose rules you are beholden to.

  • Bob Butler is the chief security advisor with IO.