Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Understanding the Implications of Data Sovereignty and Why Data Residency may be a Better Choice for Your Business

The variety of cloud services that store organizational data continues to proliferate in type and number leading to tension as more governments, policymakers, and organizations consider (or are in the process of) implementing mandates requiring that specific types of data remain within geographical borders. 


Many organizations need to navigate these data management compliance mandates while also satisfying the competing needs of expediency, cost-effectiveness and, of course, data security. This situation is complicated by confusion around the concepts of data sovereignty, data residency, and data localization and what approach is needed in a specific case.


Understand the Different Terminology


It might seem pedantic, but a quick search online for data sovereignty, localization, or residency will very quickly highlight a range of different – and not always consistent – definitions around these three concepts. In assessing which one your organization needs, it's important to first understand what each means and where ambiguities in the definitions still exist.


We'll try and clarify the terms as best as possible – as we understand them - and highlight where some of the contradictions and areas of overlap arise.


Data Residency 


Residency is concerned purely with the geographic location of specific data. A data residency mandate may require organizations to store specific types of data in a particular location(s). However, some would argue this relates to data localization (see below) and that data residency is just about the location of the data, not the compliance aspect. 


Data Localization 


Sometimes conflated with data residency, data localization is about ensuring data is stored in the country where it originated in compliance with a data residency requirement. 


Some definitions of data localization suggest that it means data needs to be stored in the location where it was generated, but this is a narrower approach and can also be argued to form part of some definitions of data sovereignty (as to which, see below).


Data Sovereignty 


Perhaps the term most often used in the security/privacy vernacular at present, data sovereignty, is different from the other two concepts because it brings into consideration the legal framework that applies – or should apply – to a specific data set based on where it is located. Data localization and data residency are not focused on the legal framework that applies, only the location/management of the data. 


Data sovereignty also considers the location of the data, but is a broader concept because it also considers the specific jurisdictional laws or set of laws the data is (or should be, if a data sovereignty mandate has been imposed) subject to. In other words, who has control over the data from a legal standpoint? 


However, some definitions of data sovereignty also suggest it takes into account whether people outside of the jurisdiction where the data resides can access that data. At the same time, yet other definitions will also suggest that it refers to the need for data to be domiciled in the location where it was created. 


This is why, when discussing data sovereignty (or any other data management concepts), it's important first to be clear about the definition being adopted.


Understand Which Form of Data Management You Really Need


It's vital to consider (and obtain advice, if necessary) whether any regulatory or legal mandates place requirements around how you need to manage the specific data you hold.  


We often see organizations assume that any regulatory requirements relating to the storing, processing, or handling of data offshore automatically amount to a data sovereignty mandate that restricts not only where it can be stored, but who can access it. However, the details often reveal something different.


For example, in Australia, the Privacy Act 1988 includes a specific privacy principle around cross-border flows of personal information. No specific mandate prevents personal information from being stored or handled overseas as long as you meet certain requirements (see this resource for further details).


Australia's Security of Critical Infrastructure (SOCI) Act 2018 - which Trustwave detailed in this blog – also includes risk management obligations for certain classes of critical infrastructure assets in Part 2A (more information on the specific classes of assets and obligations is available here). 


The offshore storing, transmission, or processing of sensitive operational information about a relevant critical infrastructure asset is identified as a material risk that the entity responsible for the operation of the asset needs to manage. There is, however, no specific mandate around data localization or sovereignty (although where the data is stored and who can access it may be taken into account by the entity responsible for the relevant critical infrastructure asset in determining how to manage the risk).


There are also aspects of the European Union's General Data Protection Regulation (GDPR) that relate to personal data flows overseas – these do not mandate data localization or sovereignty per se but do place restrictions on to which jurisdictions personal data can be transferred that has a legal framework in place that offers an adequate level of protection (see article 45). These are just some well-known regulations that do not explicitly mandate data sovereignty or localization.


Naturally, if a specific legal instrument you are subject to has a localization or sovereignty mandate with respect to specific types of data, it needs to be complied with and the discussion largely ends there. In many instances, though, concerns around the location of and access to data are not driven by an explicit legal or regulatory obligation. 


However, because of the confusion that exists around data sovereignty, localization, and residency, we see some organizations implementing extreme solutions unnecessarily out of an abundance of caution. 


For example, they may store the data in the country in which it was generated and then restrict who can access the data - or the infrastructure supporting the storage/handling of that data - to only those in the same jurisdiction, even when there is no specific legal mandate requiring this. This situation can unnecessarily increase costs, making achieving effective and scalable security more challenging. 


Exercise Caution With Claims About Data Sovereignty in Cloud Services


It's also important to be discerning about claims that might be made by some providers or products that provide data sovereignty capabilities. 


For example, if an MSSP or SaaS provider uses an outside solution as part of its operation, it may no longer be able to facilitate an organization's compliance with an external or self-imposed mandate around where the data can be accessed from.


This is a model already adopted by large cloud service providers such as Microsoft and Amazon/AWS, who provide onshore data centers but utilize a range of geographies to provide remote support and administration of customer instances.


Achieving a Balanced Approach to Data Management Through Secure Data Residency


Organizations, policymakers, and governments often have concerns that storing highly sensitive data on servers scattered around the world creates security, legal, and access issues. One worry is that data stored outside national borders makes it easier for a political, military, and/or economic adversary to have access to or legal control over the data.


There may be resultant pressure on organizations – both internal and external – to address these concerns. In many instances, though, we believe they can be addressed by implementing a data residency approach that ensures:

  • Compliance obligations are met
  • The data is stored in a specific location that allays internal and external stakeholder concerns about foreign interference or control
  • The security of the data and the assets storing that data is optimized and managed in a cost-efficient and scalable way; and
  • Access to the data is still carefully restricted (without a complete prohibition on access to the data - or the infrastructure supporting it - from overseas.)


Consider an organization looking to adopt the strictest definition of data sovereignty with respect to particularly sensitive data assets – one in which data is stored in the location it is generated and cannot be accessed from any other location (including the infrastructure supporting its storage/processing). 


Such an organization faces a significant burden to maintain a high level of security over that data. This responsibility can include requiring the organization to have a dedicated team (or hire one based locally) to ensure the effective implementation and operation of controls for securing that data and its supporting infrastructure. They must also be prepared to respond to any incidents involving the data. 


If the data assets are particularly sensitive, this may necessitate 24x7 security oversight. This can quickly become an expensive undertaking, or compromises may need to be made – for example, having people working after hours with limited experience managing costs. 


Alternatively (and assuming there is no legal obligation that specifically mandates otherwise), an organization can choose to adopt a data residency approach where:

  • Data assets and supporting infrastructure are located in a specific location that all stakeholders are comfortable with.
  • Access is carefully managed through effective security controls so that only those who need access to the data (or its supporting infrastructure) have access – regardless of location. If there are specific reasons that access to the data needs to be locked down further, this is possible without necessarily restricting where the supporting infrastructure can be accessed from for the purposes of managing its security.


The advantage of such an approach is it also allows for a more efficient, scalable, and cost-effective way of managing the security of particularly sensitive data assets; for example, it can allow an organization to engage a managed security services provider (MSSP) that provides 24x7 monitoring of the data and infrastructure, with the MSSP taking care of ensuring that, at any given time, there are available and appropriately skilled professionals ready to action any security issues that may arise. 


This approach enables the organization to take advantage of the economies of scale and cost-effectiveness that using an MSSP provides whilst allaying concerns that may arise if the data were stored offshore. 




As cloud storage and global data regulations continue to evolve, organizations must carefully weigh their options and consider the practical implications of different options for managing sensitive data, taking into account any obligations or preferences around data sovereignty, residency, or localization. The path to achieving these goals varies significantly, making it essential to choose a strategy that aligns with your organization's specific needs and resources.

Latest Trustwave Blogs

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More

How Trustwave Can Assist Tribal Governments Applying for $18 Million in DHS Cybersecurity Grants

Tribal governments are among the most underserved organizations in the US when it comes to cybersecurity preparation, with threat actors striking multiple tribes with a variety of cyberattacks.

Read More

Trustwave Backs New CISA, NCSC Artificial Intelligence Development Guidelines

The U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) today jointly released...

Read More