Tackling the growing web of data residency and privacy regulations
With an increasing number of companies moving to the cloud, we’ve seen a surge in investment by cloud providers to build international datacenters.
While these datacenters surely help with cloud application performance and latency, close investigation shows that building a single datacenter in a country does little to truly help them with growing data residency challenges – in the high availability, low latency cloud, it’s rare that data can be constrained to one datacenter.
Compliance professionals realize that privacy and data residency requirements can vary significantly by country, and have become material issues for any enterprise using cloud services where data leaves the country of origin or is in the possession of a foreign-owned cloud provider. For example, Microsoft recently found itself in a drawn out legal battle against the U.S. government, which argued that it had the right to search Microsoft’s data warehouses for data even though they were located outside of the country.
Users of cloud services need to think about where their data will flow during the entirety of its cloud journey, and then dig into each jurisdiction’s rules and regulations, as well as fully understand the home country requirements their cloud provider is subject to based-upon their country of incorporation.
Let’s take a looker at how three different countries govern data residency and privacy:
The U.S. has hundreds of state and sector specific privacy regulations and national data security laws that are enforced. In the last two decades, U.S. federal regulators have enacted strict privacy laws to protect personal information used by organizations in industries including financial services, retail, healthcare, education and defense. For example, the PCI DSS is a widely implemented global security standard that specifies the steps retailers and other organizations must take to secure and protect sensitive information.
These standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. Similarly, the healthcare industry has adopted strict standards including the Health Insurance Portability and Accountability Act (HIPAA). HIPAA outlines regulations around sensitive electronic health care records and other personal information.
German enterprises are finding it especially difficult to take full advantage of the cloud, as data residency regulations in Germany are among the strictest and most complex in the world. The Bundesdatenschutzgesetz or BDSG, are regulations that restrict how personal information is collected, and specify how data must be transferred across the German border.
Germany is subject to the Federal Data Protection Act, and the country’s criminal code regulates personal data protection in sectors including telecommunications, healthcare and insurance. On top of the national laws, each of the sixteen German states has its own data protection laws. Due to the extremely complicated restrictions, German enterprises must jump through more hoops than other companies across the globe in order to ensure compliance.
Also, the German Federal Ministry of the Interior published guidelines earlier this year that require cloud providers entering into contracts with German Federal Government agencies to enter into “no spy guarantees” ensuring that no sensitive data will be shared with unauthorized 3rd parties, regardless of where the data resides.
Russia recently joined the growing list of countries passing stricter data residency requirements in order to protect its citizen’s personal information. The State Duma of the Federal Assembly of the Russian Federation passed the new law that impacts any foreign cloud service used by Russians. It requires those services to store all Russian citizen data within Russia – meaning any cloud services that houses the personal data of Russian citizens must have physical servers, primary and back-ups, located within the Russian Federation.
Regulated data will not be allowed to leave the country’s borders without meeting extremely strict requirements. While this law does not go into effect until 2016, enterprises are nonetheless putting processes and systems in place that will enable them to be compliant with these new standards.
How can enterprises combat this myriad of international data privacy and residency requirements? In cloud environments, where data can flow like water across datacenters physically located in various parts of the world, organizations have turned to proven technologies such as tokenization to ensure that they are abiding by data sovereignty and privacy regulations while providing the utmost in cloud security and data control.
Tokenization can be used to keep sensitive data local (resident) while tokens (replacement data) are stored and processed in the cloud, ensuring regulated and sensitive data never leaves the country of origin and cannot be exposed without the enterprise’s knowledge. The unique security benefits of tokenization are quickly making it the de facto standard for addressing an increasingly complex web of data residency and sovereignty regulations appearing around the globe.