How to simplify your data sovereignty strategy

As global organizations grow, especially in a post-pandemic world, there is inevitably more global interconnectedness and international business occurring. Because of this, many businesses are struggling with issues around data privacy and security - which can create significant risks, costs, and challenges. As countless global companies move to the cloud, data sovereignty is becoming a more complex issue than ever before. 

So what does data sovereignty mean? 

Data sovereignty refers to the idea that data is placed under the jurisdiction of the local laws and policies wherever it is collected, stored, and processed. If your data is being stored or processed overseas or in another country, this can create substantial security risks. Rules and regulations about data vary wildly from country to country, and some can be hard to understand or decipher for your own use. In the United States and the European Union, the specific laws even vary from state to state.

For maximum legal clarity, data protection, and security, many countries opt for storing data in the same legal jurisdiction that their company falls under rather than a foreign jurisdiction. This is because they don’t want their customers' data to be stored with foreign cloud providers under the jurisdiction of other laws - potentially risking the safety and security of sensitive data, like Protected Health Information (PHI) or Personally Identifiable Information (PII). 

However, many large and preferred cloud hosting providers are based in the United States, which can make it difficult for companies to decide what’s best for their data. 

Why is data sovereignty so important? 

Many countries and regions, like New Zealand and the European Union, believe that storing and processing customer data in their own jurisdiction best protects both their citizens and their customers. 

If a company is based in New Zealand or the EU, but chooses to use a hosting or data storage provider based in the U.S., their data is being stored in the U.S. This means that all the data, which belongs to the company, is subject to all data rules and regulations of the United States. When data doesn’t reside in the country of operation, this can create several risks: 

• Issue of data ownership. If data from one country is technically subject to the laws and regulations of another country, who actually owns the data? It still “belongs” to the company - but if it’s subject to a second set of laws, then in some sense it does partially belong to two parties. If an American hosting provider or data center were audited or received a Department of Justice request for information, they would have to share the company’s information. For the New Zealand-based company, this would mean that all of their sensitive customer data would have to be viewed by governing bodies in another country. This would be considered a potentially very serious data breach or security risk.

• Data breaches or threats. If a company’s data was breached, leaked, or hacked, their hosting provider or data storage center might reside in a country that doesn’t require transparency about this issue. This means that a company might never even know that their data had been breached - and they never informed their customers about the risk to their private information. This could cause a myriad of legal issues, especially if the company’s local ordinances require them to inform customers about data breaches. In this situation, the company would be vulnerable to litigation on multiple sides - internal and external.  

• Data access limitations. When storing or processing data in another country, your company may be at risk of losing access to your data or experiencing limitations. Due to factors out of your control, your data could suddenly be inaccessible or limited. If this data is needed on a daily basis for work or company function, this could put your organization in a potentially very bad spot. If the data is overseas, you may struggle for answers and have to wait for lengthy periods before getting answers and resuming accessibility. This can create constraints for your business, panic for your legal department, and worry for your end-users or customers. However, when data resides in your home country, you can follow up about any access issues within your own legal framework - making data security and protection that much easier. 

• Compliance violations. Europe’s GDPR has several strict rules and regulations about transferring and storing data in other countries, and violators of this rule could owe up to $20 million in fines. GDPR makes clear that some violations are more serious than others. The GDPR rules apply to the processing of resident data, no matter where it is. It applies to both data controllers and processors, so if your company uses or provides a Cloud service that handles EU resident data, it’s important to be compliant- or risk serious consequences. 

• Local regulations and law changes. Each country has its own data sovereignty policies, requirements, and preferences. If your company operates internationally, trying to learn and keep track of multiple sets of laws, and changes, can prove nearly impossible. Trying to remain compliant in one country can be hard enough, let alone multiples. You know by now that when data is stored in a certain country, it is subject to all the laws and regulations of the area - meaning that country is the data’s “home.” But did you know that changes to international regulations or your own country’s laws could affect the way you interact with your data? 
  
  
  Depending on the country or law, the changes could result in less access to data, increased risk of threats, PHI loss risk, changes in government involvement with data, and negative impacts on your customer base, and ultimately, your business. With control of where your data is stored and how it’s accessed, organizations can keep tabs on their data in their own local policies and laws - making it easier to assure customers of data security. 

• Auditing complications. Without data sovereignty, audits can be a complicated and stressful process. If your company is audited by someone in your home country, it may be difficult to give them the access they need to data being stored somewhere else. If the audit is being performed by an organization in the country where your data is stored, you may lack awareness and have little control over the process, which is not ideal for your overall security strategy. International audits can be complex, and they can put companies at risk for GDPR violations, or at risk for breaking other privacy laws.

How can I achieve data sovereignty for better security? 

There are four main ways we’ve identified to approach securing data sovereignty and to best protect the privacy of your customers’ data. This isn’t to say there aren’t other options out there, but these are the most common for countries concerned with data sovereignty. 

1. Host and store in your home country. First, you could host your site and apps on infrastructure in your home country with a provider that’s also local. For example, if a New Zealand company runs on Catalyst Cloud, which is New-Zealand based, owned, and operated, they could utilize a data center also in New Zealand.
   
2. Host in a foreign country but store data in your own jurisdiction. You could also host in the infrastructure of a foreign company, but with a local data center that resides in your home country. 
   
3. Host in a foreign country and a preferred foreign data center. If there is a foreign country whose data sovereignty laws you trust and understand completely, it’s also a possibility to host on the infrastructure in that country and utilize a data center there. An organization might choose to do this if the data protection laws and regulations in the foreign country are actually stronger and more robust than in their home country. For example, a lot of European countries that adhere to GDPR laws take data protection and privacy very seriously - making them solid options for data storage locations.
   
4. Use your own data center. The final option is to actually have a data center on-premises at your company, which is a secure but expensive option with far less flexibility, reliability, and security than what cloud providers can offer. 

The “best option” will look different for every company - there is no one right way to host, store, and process data. Location preferences are different in every organization, and we believe you should have the right to choose. The most important thing is that you have the flexibility to choose an option that works for you, your company, your citizens, your customers, and your data.

Dedicated Cloud for data sovereignty 

Companies who value data sovereignty use amazee.io’s Dedicated Cloud, because the Open Source WebOps platform can be run on infrastructure anywhere in the world - that’s at the discretion of your organization. Because amazee.io’s Dedicated Cloud runs within a company’s preferred infrastructure choice, they still maintain control and governance of all data. 

With other vendors, a company is required to run their site and store the associated data on the vendor infrastructure - not the customer’s. In this case, the data stored falls under the jurisdiction of a) where the vendor company is registered, and b) where the data is physically stored. 

A complex example might be that of a New Zealand company hosting their website on a vendor that is a registered Canadian company, but the vendor’s infrastructure is physically located in the United States. In this case, the New Zealand customer data falls under the jurisdiction of the New Zealand laws, the Canadian laws of the vendor, and the United States laws.

Dedicated Cloud was created to solve this problem: Data never leaves the customer’s chosen infrastructure environment, so it’s not stored or processed in another location. It’s your decision where you host and store your data - we’ll simply meet you there, in the safest, most secure, and legally sensible way possible. 

How does amazee.io prioritize data sovereignty?

Data sovereignty is one of our top priorities as an organization, and Dedicated Cloud was designed for maximum data protection and security. We want companies to decide for themselves where their data is stored, and who can access it. 

Dedicated Cloud runs clusters on your preferred infrastructure - whether that’s local or in a country with data sovereignty laws you prefer. 

Here is how we ensure you maintain complete data sovereignty, GDPR compliance, or adherence to your local rules and regulations. 

1. We run where you want to be, anywhere in the world - in your infrastructure and your environment. 
2. We don’t store, keep, or access your data in any way.
3. Data remains entirely in your control. 
4. Instead of taking data out, we act on your infrastructure: we access the infrastructure to run the cluster, keep everything secure, fix any errors, and then we leave. 
5. We help you comply with data sovereignty laws. Because we run where you are, we make it easier to adhere to all the rules and regulations of your preferred region. 
6. Open source makes auditing a breeze compared to auditing proprietary hosting platforms. Since they are not a proprietary vendor, a third-party auditor would have access to the source code and full visibility of the entire infrastructure for the purpose of an audit. 

Another option for security-savvy companies: If you would rather use amazee.io’s infrastructure and run in our cloud environment, we have an option for that, too. With Cloud, we can easily spin up a new public cluster (local to your business) so your data is still yours, protected by your local laws, and easy to reach. 

Ready to take the next step with data sovereignty? 

If your organization is ready to achieve true data sovereignty, it’s easier than you think. Stop worrying about your data’s privacy and security, and start running dedicated clusters on your preferred cloud provider. 

Contact us today to learn more about amazee.io’s cloud options for better data sovereignty.

Don’t miss a post from Thom about data sovereignty - connect with him on LinkedIn.