Adopting the cloud can provide many benefits for organizations – including cost savings, streamlined application support & the ability to easily scale use and capacity (versus traditional on-premise computing systems). But cloud adoption can also bring its own set of challenges to a corporate IT department’s security strategy. For example, IT executives must now consider data protection and compliance approaches to secure their sensitive data that is now being processed and stored outside of their control in a cloud environment.
A recent industry survey shows that IT departments have a “heightened awareness” around where exactly cloud data is stored as a result of revelations by Edward Snowden regarding NSA surveillance programs. The physical location of where data is stored is commonly referred to as “data residency” (or data sovereignty) and is an important compliance and security issue for any company conducting business in more than one geographic area.
Depending on the country or group of countries an organization operates in, such as the European Union (EU), there is frequently a specific set of regulations that limit or control the movement and storage of data outside of the region’s physical borders. Many countries, including China, Canada, Australia and those within the EU have specific requirements about what data must remain resident within their borders. Since data sovereignty requirements vary by country, companies need to consider the rules that cover each of the jurisdictions they operate in as well as those that govern the locations where their data is processed and stored.
Residency regulations may change over time, but it is an important for corporate compliance and security teams to stay up to date on new and evolving requirements. Some leading organizations are using tokenization or encryption technologies to address cloud security, privacy and residency issues. Tokenization is often chosen when residency is a primary concern because it keeps sensitive data local while tokens (replacement data) are sent to the cloud.
Data protection and replacement technologies are one way to satisfy residency requirements in order to enable IT departments to meet their own security standards. Of course, any data protection and governance project needs to be well thought through, from solution design all the way through implementation and operation. Make sure to research cloud service provider’s security methods, know the residency laws of the countries you operate in and speak to customers who have deployed the technologies you are considering so you can understand and plan for issues ahead of time.