In our post-Covid world, IT departments allocate significant resources to managing endpoint data. With data stored in the cloud – and an explosion of endpoints acting as extensions – many companies have opted to move the primary residence of their endpoint data to a cloud. Therefore, data sovereignty becomes an issue and leads to a unique set of challenges with corporate data residing in multiple locations. This article by Tim DaRosa, CMO, Zadara examines the strategies companies can adopt to ensure they comply with data sovereignty rules.

A flood of cloud-first strategies continues to gain momentum as critical business functions are continually migrated to the cloud. The trend towards adoption of cloud technologies by organizations of all sizes has opened up markets that might not have made sense for a cloud provider just a few years ago.

In our post-Covid world, IT departments around the world are spending time and resources managing endpoint data. When an employee receives a new laptop, IT must help move data from the old to the new. When a branch server fails, IT must restore data from backup and resume operations. With data stored in the cloud – and an explosion of endpoints acting as extensions – a majority of businesses have increasingly turned to moving the primary residence of their endpoint data to a cloud.

As a result, data sovereignty brings its own unique set of challenges, as corporate data now resides in more locations than ever before. The same set of data may be subject to different laws depending on where it is collected or located and the legal and financial implications of data crossing international borders must be considered in a distributed computing model where data often travels d one part of the business to another.

Considerations also exist for companies with sites in multiple countries who might want data to be shared across multiple regions – backup and disaster recovery come to mind. Many cloud service providers automatically send data to the nearest data center. However, there may be cases where an organization would prefer to limit certain types of data to a region for legal reasons or to ensure data privacy.

Regional Data Sovereignty Bubbles

It should be noted that while sovereignty generally revolves around country-level requirements, there has been a marked growth in the demand for independent countries to group together on the basis of proximity to each other with a interest in creating sovereign clouds at the regional level. Country-level clouds had to be subsidized by governments with substantial commitments to be spent over a set period of time. This is one of the reasons why sovereignty at the regional level, such as Europe, is apparently more achievable than at the level of an individual country.

To meet these data management requirements, many cloud providers have established data centers in multiple regions where the physical distance between the user and the data center is significant. Latency issues, for example, make it likely that organizations generally prefer to have their data stored nearby, in their own country or even in their own city to maximize security and performance.

Below is Gartner’s perspective on the different requirements for cloud sovereignty in the modern enterprise (May 2022).

Source: Gartner

The issue of data sovereignty is one that enterprises and cloud providers grapple with today as cloud services become mainstream. Data residency, or the physical location of corporate data, is not the only attribute influencing sovereignty. Even if the data is stored in an organization’s home country, the provider hosting it is a company subject to foreign laws. It is important to know if and what data may be accessible to foreign governments under information disclosure laws, or it may be disclosed to certain parties in the event of a lawsuit. Businesses should do their due diligence and ensure they know the legal status of their cloud provider and understand the potential for their data exposure.

Organizations should also be aware of industry standard security best practices that are applied to data storage, including IT security and physical security measures. Multi-factor authentication, or even monitoring at the data center level at the entrance, are to be expected to ensure compliance with best practices.

As recently reported in The New York Times, more than 50 countries seek to better control the digital information produced by their citizens, government agencies and businesses. Security, privacy concerns, economic interests, and even border disputes compel governments to do their best to create a fence around data within their borders while creating norms about where that data can and cannot go.

Learn more: Is it time to put your data strategy on a diet?

Data sovereignty must be strategic

All data must be located somewhere. But this can be paradoxical because the essence of cloud computing is to create anytime, anywhere access to information and systems. This can pose a challenge, especially in countries with the strictest data sovereignty laws. In Germany and Russia, for example, private personal data of citizens must be stored on physical servers within their physical jurisdiction.

Issues surrounding data sovereignty – data ownership, control over where that data resides and is shared, and privacy – create a need for technologists, governments and data owners to come together and decide what is acceptable and compliant. As more and more organizations seek out pre-engineered cloud computing solutions to address the particular sovereignty issues they face, cloud providers will continue to pursue the associated learning curve, delivering best practices and solutions as soon as possible. that they will be available.