Data Sovereignty: Why it matters and what to know when choosing a cloud strategy

An increasing number of companies throughout India and around the world are moving to the cloud amid the global pandemic. With improved collaboration and productivity for a remote workforce, enhanced cost controls, and boosted security and data governance, the many benefits of the cloud have been easy to see. And while most companies know that effective planning is important for a smooth cloud migration, many may not understand the importance of understanding data sovereignty laws and the impact on choosing a cloud strategy.

Data sovereignty asserts that data is subject to the laws of the region or nation where the data is collected or stored. When data is migrated to the cloud, data sovereignty regulations play an important role in determining how and where the data can be moved.

According to IDC’s 2020 Global DataSphere forecast, the amount of data created over the next three years will be more than the data created over the past 30 years, and the world will create more than three times the data over the next five years than it did in the previous five. This ever-expanding volume of data moving to the cloud and between cloud instances makes data sovereignty an increasingly important topic. In organizations dealing with medical, financial, educational, or governmental data, the security and compliance rules may dictate where data can be stored, even when the data is being stored temporarily during a migration. For example, a government organization may not allow documents and emails to be processed on another country’s servers.

And while India has followed the EU’s General Data Protection Regulation (GDPR), the Indian Personal Data Protection Bill (PDPB), currently under review in Parliament, is expected to expand on the GDPR. This is critical to understand for both companies based in India and global companies operating in India, and the consequences for getting it wrong can be severe.

Given the potential ramifications, there are important things to understand and questions to ask when developing a cloud strategy and selecting a cloud migration partner to assist with the process.

Partner Selection

When planning a cloud migration, it’s important to select a partner that has an established track record of successful migrations and is known to have expertise on proper handling of data and issues surrounding data sovereignty. Cutting corners or failing to effectively vet partners can be a recipe for disaster downstream.

Handling Data in Transit

Understanding the path your data will travel is essential when planning a cloud migration. Some cloud migration partners may route data temporarily through a private data center on its way to the final destination. In this case, it’s important to understand that such a data center may not be as secure as a public cloud offering, and the private data center might be outside of the region or country prescribed by data sovereignty regulations and result in possible non-compliance issues. Given this, you must understand the certification and compliance requirements for your company data and communicate this clearly to your partner to be sure they are able to meet your requirements.

With the complications and risks of storing data abroad, it’s a good idea to choose a solution that makes sure your data doesn’t leave the country. It’s also important to ensure that migration partners and vendors, including MSPs, don’t store your data permanently, whether it be either by writing to a disk or keeping it in a database. New risks are opened any time your data stops during the migration process and you want to be sure it's only stored temporarily and that it's encrypted. A better alternative is to have the partner handle most of the data in application memory.

Security – Encryption and Credentials

Sometimes writing data to a disk can’t be avoided, as might be the case if the destination is slower than the source, causing an overflow of data. In this situation, it’s critical to use strong encryption to secure the data. And once the migration is complete, the data should be removed from the disk immediately to further reduce the vulnerability to theft or non-compliance that exists while data is resting in a less secure environment.

Taking extreme care to ensure migration credentials are handled properly is of utmost importance. Since anyone with the credentials has access to both the source and destination, this creates potential for serious breaches. It’s a good idea to confirm that your migration partner uses best practices and protocols, such as encrypting the credentials when stored. And make sure to create accounts for the partner that are separate from your normal administrator accounts so the accounts can be disabled as soon as the migration is complete.

Post Migration Considerations

After migration is complete, it is essential that migration partners effectively clear all data in a manner that doesn’t leave a potential vulnerability. While deleting the data is a good first step, partners need to take additional steps to destroy not only the data but the operating environment where the data was processed. If a memory footprint is left behind, it may open the opportunity for someone to bring your data back to life.

Another important step is to be proactive about auditing the migration process so you can get in front of any potential issues. If you’re working with an MSP, you can request access to the logs so you can see exactly what was done during the migration. Having the ability to scan for irregularities means that you can proactively address issues vs. reacting as issues arise. MSPs should provide customers with clear reporting for full transparency, enabling trust and future projects.

The benefits of moving to the cloud are numerous and forward-thinking companies understand the competitive advantages they gain from adopting a cloud environment. Ultimately, no other company can decide what’s compliant for you, so it’s your responsibility to know what’s happening with company data and whether that meets compliance and governance policies. Understanding the issues and laws surrounding data sovereignty is an important step in planning an effective cloud strategy and companies that invest the time and attention to get the plan right will be well positioned for the future.

Author: Brad Rosairo, director of business development with BitTitan