How do we guarantee that our data remains within the jurisdiction we choose and remains governed by the laws that we are knowledgeable of, during all stages of cloud compute?
What does jurisdiction mean to everyone involved in the cloud compute process and how can we encourage data sovereignty when computing in the cloud?
The laws that govern cloud data have a greater impact on certain organisations and certain data types than others and because of the widespread utilisation of cloud as a storage solution and compute method this continues to be an ever-growing concern.
These concerns are understandable, as cloud has broken traditional geographical boundaries and thus jurisdictional barriers; the ease of data transfer/file sharing and collaboration in the cloud increases its use, this is the way in which we now compute and is quickly becoming the norm for most organisations.
How do we ensure that provider and consumer remain assured while sharing data in the cloud?
Challenges of Computing in the Cloud
The jurisdictions in which the cloud data is stored and traverses is a pronounced concern for many organisations for a multitude of reasons.
The laws, policies and regulations that govern a particular jurisdiction vary greatly. Each consumer type will also experience differing effects with some consumers experiencing more pronounced impact compared to others, like legal organisations, financial entities, health and government bodies.
You do not need to dig very deep to uncover an incidence of compromised data furthermore data breaches are becoming more commonplace. Globally the potential for lawful (in some countries) and unlawful access to data, both enterprise and individual, is on the rise.
Countries are collaborating with each other to achieve mutual agreements by which they can support each other with data access and mutual sharing of data between authorities and countries. Such agreements may include:
- Search, seizure and disclosure of stored data
- Collection of data in transit (real-time)
- Interception of content or communications
Importance of Jurisdiction and Data Sovereignty in Cloud Computing
Cloud technology enables the expanse of data with such ease. Data is effortlessly and efficiently transferred to multiple locations and able to reach large numbers of people globally.
There is a continual global shift to improve data transparency. With the ever-changing global data laws, organisations are finding it a mounting necessity to ensure that their data remains within a cloud under their jurisdiction and covered by their legal system. Ultimately they want to maintain control of their data but many are unsure of how to achieve this.
The multiple ways in which we use cloud compute in everyday business makes this challenging to achieve. Ensuring data at rest, stored data, is located within a local cloud can be done using certain providers, but how do you ensure that data in transit does not transcend boundaries through file sharing for example, after all this is one of the great qualities that cloud delivers.
The following reasons accentuate the importance of jurisdiction when computing in the cloud:
- It’s becoming the consensus that data is subject to the laws of the country/jurisdiction in which it is stored
- Many compliance regulations now mandate that the data must be kept in the country in which the consumer lives (this is convoluted for many organisations especially those with offices expanding the globe and goes against a feature of cloud compute)
- Critical Documentation, mostly digital and networked and in the cloud is now more routine (Allows for easier copying of documents and transferring documents between locations and jurisdictions. Data in the wrong hands within the wrong jurisdiction has the potential of being problematic)
- Easier for foreign complainants and governments to access your data if it is within their own jurisdiction, outside of yours (being granted access to data within your own local jurisdiction is more easily afforded than obtaining access to data under another countries jurisdiction)
- Laws in a foreign country are not likely to be equivalent to the ones in yours (laws differ in respect to access of data and who is permitted to access data also laws are not necessarily shared from one country to the next)
- Cloud data storage contract issues may exist and be unfavourable in foreign jurisdictions (attempts to getaway from liability without the consumer being aware could occur)
- IT and data security or privacy protections for your data may not be equivalent to what your own jurisdiction offers (policies and regulations vary greatly from one country to another and also vary on how far along they are with regards to implementing their set of regulations. This results in unequal security expectations and commitments across jurisdictions).
- Increases scrutiny and professional liability and risk (the incapacity to produce data when legally sort or to protect data from undesirable demands, intensifies organisational risk and liability)
- Strategic importance to the organisation (to uphold control of data and circumvent probable damaging consequences)
Jurisdiction, The cloud Provider and The Cloud Consumer
Data jurisdiction, primarily, may have not impacted all organisations however today jurisdiction concerns are unquestionably all encompassing and a concern for everyone. The particular jurisdiction has the ability to both reassure and encourage or supress the growth of cloud computing.
Organisations are faced with growing number of data compliance demands that must be adhered to and jurisdiction has great influence on many of these.
Organisations may have Legal obligations to store data in certain jurisdictions, these may include:
- Contractual obligations
- Technical Reasons
- Customer or partner related obligations
- Security and confidentiality concerns and responsibilities
- Statutory limitation reasons
Providers of cloud services experience all the same concerns experience by the consumer. On top of those concerns they are required to fulfil and maintain a trusted relationship with the consumer and ensure the service that they provide is always adhering to and supporting the requirements of the consumer. Jurisdiction is one of the demands they must support and govern with the consumer as well as themselves as a business in mind.
Providers can best position themselves through the following approach:
- Involve organisations with regards to data sovereignty issues and use any knowledge gained to better progress how data can be managed to suit the organisation
- Be adaptable with regards to hosting strategies, be vigilant of jurisdiction concerns, and manoeuvre accordingly
- Be transparent, agile and able to integrate seamlessly
- The provider should see data sovereignty as a strategic driver and not an weakness
A Solution to Improve Data Sovereignty
Cloud storage as well as file sharing and collaboration in the cloud require jurisdictional assurance and securing of data to provide data sovereignty.
The following questions an organisation should carefully consider as they pertain to data sovereignty
- Is the type of data critical data or not
- Is the data sensitive, the sensitivity of data could effect how/where it is stored or processed in the cloud
- Can I meet the legislative obligations to secure and manage my data
- Am I Knowledgeable of and do I accept the privacy laws of the countries that have access to may data
- Can I retain legal ownership of my data
- Do I have a strong approved encryption solution
- Do I have sole access to my encryption keys, no one else should have access to my encryption keys or have keys to decrypt my data
- The vendor cloud must not weaken my network security posture
The solution needs to facilitate:
- Information security and data protection for all areas of cloud compute
- Protecting organisations and data from outsider threat
- End-to-end assurance and management of potential risk
- To Work seamlessly and efficiently as to not hinder the benefit of cloud sharing
Areas for consideration to assist in achieving this:
- Comprehensive knowledge of laws and regulations: This is indispensable if you are to assure compliance. You need to be knowledgeable of the laws and regulations of all the countries with which you undertake business as well as the country where your organisation is based. This is especially essential for enterprises that are excessively regulated.
- Keep data local: Ensure that backups of data or secondary data centres for replica data for data recovery purposes resides locally.
- Procure an encryption solution to secure your data at all stages of cloud compute. This should include data at rest (stored data), in transit, shared data, data in session, data on devices and within all locations. Encrypting data will lessen jurisdiction concerns when data traverses geographical borders.
- Encryption Keys should be managed locally so that privacy compliance is assured within your jurisdiction/locally. A process should be in place for key cancellation and destruction.
- Ensure that access to your data is effectively controlled and that even privileged users of the cloud service provider are not allowed access to your data.
- A multilayer approach should be utilised to afford the best possible security effort. Include encryption, two factor authentication and further measures to thwart data leakage and include remote wipe functionalities.
- Utilise Geo-redundancy whenever possible, this ensures data is kept within your jurisdiction and that the compliance required under your operational jurisdiction is met and maintained.
The basis of effective cloud compute is the efficient flow of data from user, to the cloud and back and the means to overcome geographical borders and that is what makes cloud compute so beneficial to organisations.
Regrettably the ability to transcend geographical and political boundaries has brought on an assortment of jurisdictional insecurities and complexities as well.
It’s understood that we can not have the one (comprehensive cloud benefit) without the other (jurisdictional distresses) and cloud is very much here to stay, thus we need to push forward and distinguish how best to address the concerns of jurisdiction and computing across geographical borders in a manner that will support the diverse and fluctuating demands from the multitude of organisations and consumer types.
Organisations must create a secure environment to allow collaboration outside of their trusted base and must be able to protect their digital documents from unauthorised access to secure data and allocate responsibility correctly.
A dependable Encryption Solution is instrumental in achieving this.