Those who try to live by the rule ‘keep it simple’ would likely pull their hair out in frustration if they had to navigate the world of emerging data residency laws. The actual physical location of data is no longer cut and dry, as electronic forms of information and in particular, the cloud, have changed the entire IT landscape (for the greater good in this author’s opinion).
For years now, electronic information has moved around globe in an instant, helping us purchase goods/services, transfer healthcare and financial documents and share a slew of enterprise data of varying degrees of sensitivity. The cloud has taken this sharing one step further, empowering access to data from just about anywhere, and from any device with an internet connection. Since this data can be accessed and more importantly ‘stored’ in the cloud, how do you determine where the actual data resides? This is where things get interesting.
Moving Data to the Cloud
The cloud empowers us with the flexibility to access data anytime and anywhere, but it’s where that data actually is processed and resides (think servers) that is driving debate and confusion between technologists, regulators and cloud users. To get a grasp of the issue, several countries have begun to implement data residency laws that restrict the flow of certain types of sensitive information outside the boundaries of their countries and limit who can access that information and from what locations.
Cloud data residency is defined as maintaining control over the location where regulated data and documents physically reside. While privacy and data residency requirements vary by country, users of cloud services need to consider the rules that cover each of the jurisdictions they operate in as well as the rules that govern the treatment of data at the locations where the cloud service provider(s) provision their services (eg, their data centers).
To illustrate the magnitude of the challenge, consider a German healthcare organization placing patient data in the cloud service of a US provider with the primary data center in France and the backup stored in the United States. Data flowing freely would bring not only German laws into play, but also those of France and the United States. Whose laws rule the data at any given time? What happens when the laws contradict one another? The cloud is the equivalent of opening Pandora’s Box for the enterprise’s data compliance and privacy professionals.
"Users of cloud services need to consider the rules that cover each of the jurisdictions they operate in"
Before moving critical and often sensitive enterprise data to the cloud, global organizations need to thoroughly vet and understand data privacy laws, including those their cloud provider may be subject to regardless of where the data is in their cloud infrastructure.
Managing Data Residency and Privacy Challenges
So what can companies do to ensure that they are still able to reap the benefits of the cloud while overcoming the complexity of data residency and privacy regulations? A growing number of global operations rely on tokenization to secure their sensitive data and comply with these sorts of laws. Tokenization is a process by which a sensitive data field, such as a patient’s first and last name or scanned x-ray images from a medical record, is replaced with surrogate values called tokens.
Tokenization helps solve the data residency issue of storing and processing data in a cloud located outside of an enterprise’s home country borders because it is not the data itself, but a meaningless string of characters (tokens), that is processed and stored in the foreign country-based cloud. Unlike encrypted values that can be unlocked via the use of a key, strong tokens cannot be reversed back to their original values without access to the ‘look-up’ table within the enterprise that matches them up to their original values.
By adopting tokenization technology in this fashion, organizations can retain the agility and scalability benefits of the cloud. And these gateways, that are part of a fast growing technology space that Gartner refers to as Cloud Access Security Brokers (CASBs), still allow cloud application end-users to access all of the cloud functionality they require, like searching on data and creating reports, even when data has been tokenized to address data residency concerns.
Ensuring the Compliance, Security and Performance of Global Cloud Data
Organizations across the globe will continue to move data to the cloud to reduce costs and improve the flexibility of their IT infrastructures. However, before making the jump, understanding the potential business impact of data residency laws is becoming a must-do step in the project planning process. Once the regulations are clearly understood, enterprises will find that there are innovative technologies that will help move their programs along. When moving to the cloud, the right preparation and security technology can indeed help to keep it simple.
David Canellos is president and CEO of Perspecsys, a provider of cloud data protection solutions