Achieving data sovereignty compliance in a multicloud environment

More public bodies are shifting to cloud models, with data sovereignty being one of the key compliance issues they face – but what are the risks of a multicloud environment?

The UK public sector is extending beyond its legacy IT systems to offer greater accessibility to services through cloud applications. However, as this transition to a multicloud environment gathers pace, new challenges in meeting compliance obligations are coming to the fore.

With more public bodies shifting to cloud models, data sovereignty is one of the key compliance issues they face. Data sovereignty is the idea that an organisation’s data should be subject to the compliance and governance regulations of the country from which it originated. For a public organisation based in the UK, the data it processes or stores should be subject to UK regulations, no matter where in the world the data is being stored or processed.

The UK Government Cyber Security Strategy places increasing importance on data sovereignty, which means being able to identify and catalogue critical information and control where the data is stored is essential. But, when data is migrated to the cloud, this control is often lost in the process, exposing public sector organisations to significant gaps in data governance. This can result in a failure to meet regulatory frameworks and fines for the organisation.

Public sector organisations are well aware of their obligations to comply with GDPR (General Data Protection Regulation), which is one of the most far-reaching and stringent pieces of data sovereignty legislation in the world. In fact, many of these organisations went through lengthy and involved projects to ensure GDPR compliance. However, compliance is not a ‘one-and-done’ process, remaining compliant requires a constant evolution of thinking and policy to ensure that emerging practices don’t leave organisations exposed.

Cloud backup and recovery; a challenge for sovereignty

The challenge with cloud models, particularly multicloud environments, is that as the cloud customer you may not have full control of where your data is held. This becomes especially relevant when considering backup. All data must be backed up to protect it against threats such as ransomware but the cloud creates new challenges over the location of replicated copies of the data. This backup data could be stored anywhere in the world, at the whim of the cloud service provider who may not even tell its customers which data centers it’s targeting. You could be breaking your data sovereignty and privacy obligations without knowing it.

A word about dark data

As public services shift to cloud environments, the issue of ‘dark data’ (untagged or unstructured data) and ‘ROT’ data (redundant, obsolete or trivial data) also rears its head, with implications for data sovereignty. There is no known business value to this data but it’s created during business processes and then just sits on servers.

This data can land organisations in regulatory hot water, especially when considering the limitations of continuing to store data under GDPR. As this data is unidentifiable, businesses have no idea if they’re meeting compliance requirements, including data sovereignty.

Furthermore, since dark and ROT data is often left to languish without updated permissions and subject to obsolete security policies it is much more susceptible to breaches.

To avoid these challenges, any cloud migration strategy should include plans for data cleansing and robust data management. Without data visibility, it’s almost impossible to achieve compliance.

Mitigating the risk of sovereignty mishaps

The cloud’s risk to data sovereignty does not outweigh its benefits. Public sector organisations shouldn’t fear a multicloud approach but it’s important for them to be aware of the additional steps they need to take. This means exploring the options with an established and knowledgeable data compliance and protection specialist. One way to protect against a sovereignty breach is to adopt a flexible cloud deployment model where you have control over where the service and data is hosted. However, with many data backup and recovery tools, you have little to no choice of locations. That is where seeking good advice is essential so that you get the right provider for your organisation.

A single-tenant deployment architecture, provisioned in an appropriate region, is ideal for meeting sovereignty requirements. Single-tenancy means that each cloud customer is provided with a dedicated instance of the software application and supporting infrastructure. This provides a secure environment without the risk of data migrating across borders.

Remember – ensuring data, including backup data, is compliant wherever it may reside is the data holder’s responsibility, not the cloud provider’s. Cloud and multicloud environments and infrastructures for data backup and recovery provide myriad benefits but are not challenge-free. When considering the most secure and compliant model for your organisation ensure you are fully aware of the provider’s approach and consider a flexible but dedicated system.

This piece was written by Barry Cashman, Regional VP, UK & Ireland, Veritas.