The Four Pillars Of Data Sovereignty Wisdom
- Summary:
- Data security is no longer enough. ServiceNow’s Philip van der Wilt sets out the key priorities for navigating the complex world of data sovereignty.
This new way of being has had a profound impact upon the way both public and private organizations must now manage and care for their data.
It is no longer enough to know that your data is secure; it is no longer enough to know that your data is well managed, optimised and de-duplicated; and it is no longer enough to know that your data is stored with the requisite channels for access based upon defined policy stipulations.
Today we also need to know whether or not our data is compliant with the laws and legislation governing the country in which that data resides. This is the world of data sovereignty.
Ambiguous geopolitical barriers
The advent of data sovereignty and the concerns it throws up have made geopolitical barriers ambiguous. Governments across the world have been working to lay down legislation that reflects the controls needed for this new reality. In simple terms, data sovereignty seeks to specify that information relating to customers, users, or individuals by any definition be kept within the country in which that person resides.
The worry factor here is that a foreign country’s government could subpoena an individual’s information for one reason or another. As we attempt to draw the line at the appropriate level of privacy for any given piece of data, we encounter two major problems.
Firstly, cloud computing has itself (and forgive the expression) clouded our view of where data might be held i.e. cloud providers have not always had to be completely honest and open about where their data centers are located as part of their Service Level Agreements (SLAs).
Secondly, there is no global standard governing data sovereignty and this has merely served to fragment the level of controls that are put in place around the globe.
A looming challenge
In a world of Brexit and the EU’s new General Data Protection Regulation, discussions surrounding data sovereignty have often failed to provide the clarity needed. The onward result of this is that businesses themselves end up struggling to understand the often-incongruous requirements, laws, and regulations that do actually exist.
With the threat of regulatory action looming, how should firms approach the data sovereignty challenge and prepare to take their place in the data-driven economy?
Overcoming the data sovereignty challenge is possible, but only with strategic planning. Here are four pillars or cornerstones upon which every organization can build its new globally-aligned, data sovereignty-aware and data-driven business.
Policy & process politics
Firms need to make a political decision, at board level, to implement policy compliance controls and processes that are capable of scaling and changing to meet the nuances of data sovereignty regulations. These policies should be capable of accommodating new legislation when it changes, or when a business enters a new industry or indeed a new world market.
Local knowledge
Local knowledge counts for a lot in the data sovereignty game. France, Germany, and Russia are agreed to have some of the toughest laws and regulations currently in place today. These nations have stipulated that all data relating to its citizens be stored on servers that are physically located in the respective country.
At a similar level, we also know that the finance, healthcare, and government sectors rank as the most exacting ‘industry verticals’ when it comes to data sovereignty. So knowing the shape of the local data landscape in hand can significantly help navigate a clear route forward.
Vendor transparency
Firms should make a conscious decision to use IT vendors with a wholly transparent approach to the way they execute their operations. It is important here that each IT vendor has a SLA that is clear of any level of ambiguity.
Each IT vendor selected should also offer end-to-end encryption and sophisticated access controls as a security fundamental. All data, both in transit and at rest in the cloud, should be encrypted. Role-based authentication and other granular user controls are also essential here.
Service management
Service management tools can help firms take complete control of their data sovereignty issues by accurately mapping the complete path of information as it traverses around company systems. Part of this will be a process of performing due diligence as firms seek to audit all internal departments and discover where data is being processed, analysed and stored.
It is not a question of ‘beating’ data sovereignty or looking for workarounds. Instead, firms should be using the power of the cloud computing model of service-based IT to reduce costs associated with IT workloads and focus on new operational efficiencies.