The variety of cloud services that store organizational data continues to proliferate in type and number leading to tension as more governments, policymakers, and organizations consider (or are in the process of) implementing mandates requiring that specific types of data remain within geographical borders.
Many organizations need to navigate these data management compliance mandates while also satisfying the competing needs of expediency, cost-effectiveness and, of course, data security. This situation is complicated by confusion around the concepts of data sovereignty, data residency, and data localization and what approach is needed in a specific case.
Understand the Different Terminology
It might seem pedantic, but a quick search online for data sovereignty, localization, or residency will very quickly highlight a range of different – and not always consistent – definitions around these three concepts. In assessing which one your organization needs, it's important to first understand what each means and where ambiguities in the definitions still exist.
We'll try and clarify the terms as best as possible – as we understand them - and highlight where some of the contradictions and areas of overlap arise.
Data Residency
Residency is concerned purely with the geographic location of specific data. A data residency mandate may require organizations to store specific types of data in a particular location(s). However, some would argue this relates to data localization (see below) and that data residency is just about the location of the data, not the compliance aspect.
Data Localization
Sometimes conflated with data residency, data localization is about ensuring data is stored in the country where it originated in compliance with a data residency requirement.
Some definitions of data localization suggest that it means data needs to be stored in the location where it was generated, but this is a narrower approach and can also be argued to form part of some definitions of data sovereignty (as to which, see below).
Data Sovereignty
Perhaps the term most often used in the security/privacy vernacular at present, data sovereignty, is different from the other two concepts because it brings into consideration the legal framework that applies – or should apply – to a specific data set based on where it is located. Data localization and data residency are not focused on the legal framework that applies, only the location/management of the data.
Data sovereignty also considers the location of the data, but is a broader concept because it also considers the specific jurisdictional laws or set of laws the data is (or should be, if a data sovereignty mandate has been imposed) subject to. In other words, who has control over the data from a legal standpoint?
However, some definitions of data sovereignty also suggest it takes into account whether people outside of the jurisdiction where the data resides can access that data. At the same time, yet other definitions will also suggest that it refers to the need for data to be domiciled in the location where it was created.
This is why, when discussing data sovereignty (or any other data management concepts), it's important first to be clear about the definition being adopted.
Understand Which Form of Data Management You Really Need
It's vital to consider (and obtain advice, if necessary) whether any regulatory or legal mandates place requirements around how you need to manage the specific data you hold.
We often see organizations assume that any regulatory requirements relating to the storing, processing, or handling of data offshore automatically amount to a data sovereignty mandate that restricts not only where it can be stored, but who can access it. However, the details often reveal something different.
For example, in Australia, the Privacy Act 1988 includes a specific privacy principle around cross-border flows of personal information. No specific mandate prevents personal information from being stored or handled overseas as long as you meet certain requirements (see this resource for further details).
Australia's Security of Critical Infrastructure (SOCI) Act 2018 - which Trustwave detailed in this blog – also includes risk management obligations for certain classes of critical infrastructure assets in Part 2A (more information on the specific classes of assets and obligations is available here).
The offshore storing, transmission, or processing of sensitive operational information about a relevant critical infrastructure asset is identified as a material risk that the entity responsible for the operation of the asset needs to manage. There is, however, no specific mandate around data localization or sovereignty (although where the data is stored and who can access it may be taken into account by the entity responsible for the relevant critical infrastructure asset in determining how to manage the risk).
There are also aspects of the European Union's General Data Protection Regulation (GDPR) that relate to personal data flows overseas – these do not mandate data localization or sovereignty per se but do place restrictions on to which jurisdictions personal data can be transferred that has a legal framework in place that offers an adequate level of protection (see article 45). These are just some well-known regulations that do not explicitly mandate data sovereignty or localization.
Naturally, if a specific legal instrument you are subject to has a localization or sovereignty mandate with respect to specific types of data, it needs to be complied with and the discussion largely ends there. In many instances, though, concerns around the location of and access to data are not driven by an explicit legal or regulatory obligation.
However, because of the confusion that exists around data sovereignty, localization, and residency, we see some organizations implementing extreme solutions unnecessarily out of an abundance of caution.
For example, they may store the data in the country in which it was generated and then restrict who can access the data - or the infrastructure supporting the storage/handling of that data - to only those in the same jurisdiction, even when there is no specific legal mandate requiring this. This situation can unnecessarily increase costs, making achieving effective and scalable security more challenging.
Exercise Caution With Claims About Data Sovereignty in Cloud Services
It's also important to be discerning about claims that might be made by some providers or products that provide data sovereignty capabilities.
For example, if an MSSP or SaaS provider uses an outside solution as part of its operation, it may no longer be able to facilitate an organization's compliance with an external or self-imposed mandate around where the data can be accessed from.
This is a model already adopted by large cloud service providers such as Microsoft and Amazon/AWS, who provide onshore data centers but utilize a range of geographies to provide remote support and administration of customer instances.
Achieving a Balanced Approach to Data Management Through Secure Data Residency
Organizations, policymakers, and governments often have concerns that storing highly sensitive data on servers scattered around the world creates security, legal, and access issues. One worry is that data stored outside national borders makes it easier for a political, military, and/or economic adversary to have access to or legal control over the data.
There may be resultant pressure on organizations – both internal and external – to address these concerns. In many instances, though, we believe they can be addressed by implementing a data residency approach that ensures:
- Compliance obligations are met
- The data is stored in a specific location that allays internal and external stakeholder concerns about foreign interference or control
- The security of the data and the assets storing that data is optimized and managed in a cost-efficient and scalable way; and
- Access to the data is still carefully restricted (without a complete prohibition on access to the data - or the infrastructure supporting it - from overseas.)
Consider an organization looking to adopt the strictest definition of data sovereignty with respect to particularly sensitive data assets – one in which data is stored in the location it is generated and cannot be accessed from any other location (including the infrastructure supporting its storage/processing).
Such an organization faces a significant burden to maintain a high level of security over that data. This responsibility can include requiring the organization to have a dedicated team (or hire one based locally) to ensure the effective implementation and operation of controls for securing that data and its supporting infrastructure. They must also be prepared to respond to any incidents involving the data.
If the data assets are particularly sensitive, this may necessitate 24x7 security oversight. This can quickly become an expensive undertaking, or compromises may need to be made – for example, having people working after hours with limited experience managing costs.
Alternatively (and assuming there is no legal obligation that specifically mandates otherwise), an organization can choose to adopt a data residency approach where:
- Data assets and supporting infrastructure are located in a specific location that all stakeholders are comfortable with.
- Access is carefully managed through effective security controls so that only those who need access to the data (or its supporting infrastructure) have access – regardless of location. If there are specific reasons that access to the data needs to be locked down further, this is possible without necessarily restricting where the supporting infrastructure can be accessed from for the purposes of managing its security.
The advantage of such an approach is it also allows for a more efficient, scalable, and cost-effective way of managing the security of particularly sensitive data assets; for example, it can allow an organization to engage a managed security services provider (MSSP) that provides 24x7 monitoring of the data and infrastructure, with the MSSP taking care of ensuring that, at any given time, there are available and appropriately skilled professionals ready to action any security issues that may arise.
This approach enables the organization to take advantage of the economies of scale and cost-effectiveness that using an MSSP provides whilst allaying concerns that may arise if the data were stored offshore.
Conclusion
As cloud storage and global data regulations continue to evolve, organizations must carefully weigh their options and consider the practical implications of different options for managing sensitive data, taking into account any obligations or preferences around data sovereignty, residency, or localization. The path to achieving these goals varies significantly, making it essential to choose a strategy that aligns with your organization's specific needs and resources.
