CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Understanding the Implications of Data Sovereignty and Why Data Residency may be a Better Choice for Your Business

The variety of cloud services that store organizational data continues to proliferate in type and number leading to tension as more governments, policymakers, and organizations consider (or are in the process of) implementing mandates requiring that specific types of data remain within geographical borders. 

 

Many organizations need to navigate these data management compliance mandates while also satisfying the competing needs of expediency, cost-effectiveness and, of course, data security. This situation is complicated by confusion around the concepts of data sovereignty, data residency, and data localization and what approach is needed in a specific case.

 

Understand the Different Terminology

 

It might seem pedantic, but a quick search online for data sovereignty, localization, or residency will very quickly highlight a range of different – and not always consistent – definitions around these three concepts. In assessing which one your organization needs, it's important to first understand what each means and where ambiguities in the definitions still exist.

 

We'll try and clarify the terms as best as possible – as we understand them - and highlight where some of the contradictions and areas of overlap arise.

 

Data Residency 

 

Residency is concerned purely with the geographic location of specific data. A data residency mandate may require organizations to store specific types of data in a particular location(s). However, some would argue this relates to data localization (see below) and that data residency is just about the location of the data, not the compliance aspect. 

 

Data Localization 

 

Sometimes conflated with data residency, data localization is about ensuring data is stored in the country where it originated in compliance with a data residency requirement. 

 

Some definitions of data localization suggest that it means data needs to be stored in the location where it was generated, but this is a narrower approach and can also be argued to form part of some definitions of data sovereignty (as to which, see below).

 

Data Sovereignty 

 

Perhaps the term most often used in the security/privacy vernacular at present, data sovereignty, is different from the other two concepts because it brings into consideration the legal framework that applies – or should apply – to a specific data set based on where it is located. Data localization and data residency are not focused on the legal framework that applies, only the location/management of the data. 

 

Data sovereignty also considers the location of the data, but is a broader concept because it also considers the specific jurisdictional laws or set of laws the data is (or should be, if a data sovereignty mandate has been imposed) subject to. In other words, who has control over the data from a legal standpoint? 

 

However, some definitions of data sovereignty also suggest it takes into account whether people outside of the jurisdiction where the data resides can access that data. At the same time, yet other definitions will also suggest that it refers to the need for data to be domiciled in the location where it was created. 

 

This is why, when discussing data sovereignty (or any other data management concepts), it's important first to be clear about the definition being adopted.

 

Understand Which Form of Data Management You Really Need

 

It's vital to consider (and obtain advice, if necessary) whether any regulatory or legal mandates place requirements around how you need to manage the specific data you hold.  

 

We often see organizations assume that any regulatory requirements relating to the storing, processing, or handling of data offshore automatically amount to a data sovereignty mandate that restricts not only where it can be stored, but who can access it. However, the details often reveal something different.

 

For example, in Australia, the Privacy Act 1988 includes a specific privacy principle around cross-border flows of personal information. No specific mandate prevents personal information from being stored or handled overseas as long as you meet certain requirements (see this resource for further details).

 

Australia's Security of Critical Infrastructure (SOCI) Act 2018 - which Trustwave detailed in this blog – also includes risk management obligations for certain classes of critical infrastructure assets in Part 2A (more information on the specific classes of assets and obligations is available here). 

 

The offshore storing, transmission, or processing of sensitive operational information about a relevant critical infrastructure asset is identified as a material risk that the entity responsible for the operation of the asset needs to manage. There is, however, no specific mandate around data localization or sovereignty (although where the data is stored and who can access it may be taken into account by the entity responsible for the relevant critical infrastructure asset in determining how to manage the risk).

 

There are also aspects of the European Union's General Data Protection Regulation (GDPR) that relate to personal data flows overseas – these do not mandate data localization or sovereignty per se but do place restrictions on to which jurisdictions personal data can be transferred that has a legal framework in place that offers an adequate level of protection (see article 45). These are just some well-known regulations that do not explicitly mandate data sovereignty or localization.

 

Naturally, if a specific legal instrument you are subject to has a localization or sovereignty mandate with respect to specific types of data, it needs to be complied with and the discussion largely ends there. In many instances, though, concerns around the location of and access to data are not driven by an explicit legal or regulatory obligation. 

 

However, because of the confusion that exists around data sovereignty, localization, and residency, we see some organizations implementing extreme solutions unnecessarily out of an abundance of caution. 

 

For example, they may store the data in the country in which it was generated and then restrict who can access the data - or the infrastructure supporting the storage/handling of that data - to only those in the same jurisdiction, even when there is no specific legal mandate requiring this. This situation can unnecessarily increase costs, making achieving effective and scalable security more challenging. 

 

Exercise Caution With Claims About Data Sovereignty in Cloud Services

 

It's also important to be discerning about claims that might be made by some providers or products that provide data sovereignty capabilities. 

 

For example, if an MSSP or SaaS provider uses an outside solution as part of its operation, it may no longer be able to facilitate an organization's compliance with an external or self-imposed mandate around where the data can be accessed from.

 

This is a model already adopted by large cloud service providers such as Microsoft and Amazon/AWS, who provide onshore data centers but utilize a range of geographies to provide remote support and administration of customer instances.

 

Achieving a Balanced Approach to Data Management Through Secure Data Residency

 

Organizations, policymakers, and governments often have concerns that storing highly sensitive data on servers scattered around the world creates security, legal, and access issues. One worry is that data stored outside national borders makes it easier for a political, military, and/or economic adversary to have access to or legal control over the data.

 

There may be resultant pressure on organizations – both internal and external – to address these concerns. In many instances, though, we believe they can be addressed by implementing a data residency approach that ensures:

  • Compliance obligations are met
  • The data is stored in a specific location that allays internal and external stakeholder concerns about foreign interference or control
  • The security of the data and the assets storing that data is optimized and managed in a cost-efficient and scalable way; and
  • Access to the data is still carefully restricted (without a complete prohibition on access to the data - or the infrastructure supporting it - from overseas.)

 

Consider an organization looking to adopt the strictest definition of data sovereignty with respect to particularly sensitive data assets – one in which data is stored in the location it is generated and cannot be accessed from any other location (including the infrastructure supporting its storage/processing). 

 

Such an organization faces a significant burden to maintain a high level of security over that data. This responsibility can include requiring the organization to have a dedicated team (or hire one based locally) to ensure the effective implementation and operation of controls for securing that data and its supporting infrastructure. They must also be prepared to respond to any incidents involving the data. 

 

If the data assets are particularly sensitive, this may necessitate 24x7 security oversight. This can quickly become an expensive undertaking, or compromises may need to be made – for example, having people working after hours with limited experience managing costs. 

 

Alternatively (and assuming there is no legal obligation that specifically mandates otherwise), an organization can choose to adopt a data residency approach where:

  • Data assets and supporting infrastructure are located in a specific location that all stakeholders are comfortable with.
  • Access is carefully managed through effective security controls so that only those who need access to the data (or its supporting infrastructure) have access – regardless of location. If there are specific reasons that access to the data needs to be locked down further, this is possible without necessarily restricting where the supporting infrastructure can be accessed from for the purposes of managing its security.

 

The advantage of such an approach is it also allows for a more efficient, scalable, and cost-effective way of managing the security of particularly sensitive data assets; for example, it can allow an organization to engage a managed security services provider (MSSP) that provides 24x7 monitoring of the data and infrastructure, with the MSSP taking care of ensuring that, at any given time, there are available and appropriately skilled professionals ready to action any security issues that may arise. 

 

This approach enables the organization to take advantage of the economies of scale and cost-effectiveness that using an MSSP provides whilst allaying concerns that may arise if the data were stored offshore. 

 

Conclusion

 

As cloud storage and global data regulations continue to evolve, organizations must carefully weigh their options and consider the practical implications of different options for managing sensitive data, taking into account any obligations or preferences around data sovereignty, residency, or localization. The path to achieving these goals varies significantly, making it essential to choose a strategy that aligns with your organization's specific needs and resources.

Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More