By Harish Grama, Global Cloud Practice Leader at Kyndryl
Data is the new gold.
As organizations of all sizes focus more on data privacy and protection, it’s no surprise that sovereign clouds are becoming increasingly popular.
A sovereign cloud operates in a particular country or region and meets a governing body’s data privacy and jurisdictional standards. With a sovereign cloud, all data and metadata stay on sovereign soil, preventing other nations from accessing it. Sovereign clouds provide enhanced security measures, including encryption, access controls, zero trust and network segmentation, which may be tailored to specific countries or regions.
With an increasing number of data privacy regulations being passed and companies becoming more reliant on cloud services for critical IT operations, sovereign clouds will become vital. From complying with regulations to addressing cybersecurity and resiliency needs to the increasing demand for faster, more adaptable applications, the road to sovereign cloud readiness is multifaceted.
Here are four important steps organizations can take to prepare for cloud sovereignty.
Step 1: Understand data sovereignty laws
Do your research. Knowing the data sovereignty laws in the regions where you operate — and understanding how they may change — is a good start.
According to the World Population Review, more than 120 countries have embraced international data privacy laws, regulating data flow, collection, information disclosure and user rights. However, the global landscape for data privacy laws is far from uniform. The European Union (EU) General Data Protection Regulation (GDPR) from 2018 is the most well known. It regulates the collection and use of data about EU citizens and enforces security requirements for personal data, regardless of where it is stored. Australia, China, Indonesia, Japan and Malaysia are among other countries that have implemented data privacy regulations. In the U.S., 12 states have comprehensive data privacy laws or plans for implementation. More states and countries are expected to enact similar laws soon.
It is also important for organizations to keep informed of geopolitical factors, like growing trade disputes or friction between traditional allies, which have the potential to change policies and economies.
Step 2: Find a good partner
Navigating data privacy and protection rules and regulations globally can be challenging and time-consuming, so organizations should not go at it alone. Consultants and system integrators can help you think about the strategic approach. Engaging a team of expert IT consultants or an experienced data services provider early on will help ensure a smoother transition. When selecting a partner, prioritize those with comprehensive capabilities that can offer holistic guidance on your sovereign cloud adoption strategy. Seek partners who can assist in designing and implementing a vendor-agnostic, modular and scalable approach tailored to your organization’s unique needs.
Also, make sure to assess your IT partner's capacity to operate within each country's boundaries, which includes having local delivery personnel and established operational procedures to maintain control over data in-country. From a cybersecurity and resiliency perspective, ensure that your chosen partner considers the entire ecosystem of controls, such as network, endpoints, cloud, applications, IoT devices and identity management.
Step 3: Understand your data
When building a data strategy, it's natural to consider data growth and its useful lifespan. However, you also want to think about what your data sovereignty requirements are. This entails identifying which data falls under sovereignty laws, determining who is authorized to access this data and where they are located, and assessing what levels of encryption and security intelligence are needed. Failing to safeguard sovereign data can have severe consequences, including potential lawsuits and government fines.
To better understand data and its classification, consider:
- Implementing zero-trust security solutions and technology solutions for automated data discovery to identify data subject to sovereignty laws
- Conducting data-discovery exercises
- Comprehending the context and intent of the data
- Classifying data based on sensitivity and classification frameworks
- Deploying protective mechanisms to ensure data sovereignty, operational sovereignty, technical sovereignty and assurance sovereignty
Step 4: Consider a future-looking strategy for sovereign data storage
Now that you know the laws and requirements for countries where you operate, create a dataflow map to define where the data will move. Can it move through the EU to the U.S., or anywhere? In how many countries is data generated and collected? For each country, what type of data must be maintained in-country, and which may move more freely?
You’ll also want to think about the tools needed to prevent data from moving from inside your company to externally, and how you will enforce those policies. Make sure you have the proper balance between controls and costs when creating your strategy. Implementing data sovereignty solutions requires a spectrum of controls to achieve things like data localization to more complex aspects such as addressing the origin of the hardware and chips installed in the server.
Last, as you examine the future of your business and the data you will manage in a sovereign cloud environment, you’ll want to think about some additional questions:
- Is your business going to expand to new countries or regions?
- Is your organization expanding into new services that require edge computing or collecting data on edge devices?
- Are you or will you be implementing artificial intelligence (AI) as part of your business operations?
Sovereign cloud is an evolving and complex topic that reflects the growing importance of data privacy and security. Getting it right has never been more important.