Dealing with sovereign data in the cloud

It’s Friday, and you’re about to close your laptop and go to happy hour, when you get an urgent e-mail stating that due to data being illegally transported out of the country, the company has been fined $250,000.  

What happened?

As bad luck would have it, your cloud provider backs up the database containing sovereign data to a storage system outside of the country. This is done for a good reason: Relocating data for business continuity and disaster recovery purposes to another region reduces the risk of data loss if the primary region is down. 

Of course, this is not the fault of the cloud provider. This is a common configuration error that occurs primarily because the cloudops team does not understand issues with laws and regulations around data. The database administrator may not have been aware it was happening. Lack of training led to this problem and the quarter million slap in the face.   

Data sovereignty is more of a legal issue than a technical one. The idea is that data is subject to the laws of the nation where it’s collected and exists. Laws vary from country to country, but the most common governance you’ll see is not allowing some types of data to leave the country at any time. Other regulations enforce encryption and how the data is handled and by whom. 

These were pretty easy rules to follow when we had dedicated data centers in each country, but the use of public clouds that have regions and points-of-presence all over the world complicates things. Misconfigurations, lack of understanding, and just general screw-ups lead to fines, impacts to reputations, and, in some cases, disallowing the use of cloud computing altogether.   

Copyright © 2020 IDG Communications, Inc.

Source link