Going Cloud? How to deal with the data sovereignty dilemma

Our recent research on Cloud adoption amongst CIOs found that while they see the value in cloud hosting, decision makers are pausing for thought before making the move.

Half of all respondents think that outsourcing to the Cloud frees up time for the IT department to spend on strategic tasks, specifically on innovation plans, development initiatives, forward planning and strategic direction consulting. But the survey highlighted security as the biggest concern in cloud services, with almost 70% of respondents citing data sovereignty as an issue. Recent Price Waterhouse Coopers research supports this finding, highlighting that data security is the biggest barrier to cloud computing. Compliance and data sovereignty issues are very real concerns for decision makers.

What makes data sovereignty such a major concern?
Two recent expert sources highlight the concerns surrounding data sovereignty. Our  interview with Dudley Kneller, Partner at Madgwicks and UNSW’s Board and Executive Officer’s Guide to Data Sovereignty and the Cloud, released in June 2013, uncovered six key concerns:

1. Digital documents become more vulnerable
With documents being digital, moving them and copying them to other locations is easy, quick and non-traceable. Putting valuable data and IP in the hands of others is a concern. The UNSW guide suggests that “if the server location or control is not disclosed by the cloud provider or if it is subject to change without notice, the information is more vulnerable to the risk of being compromised”.

2. Unauthorised access
Your data may be accessible by foreign litigants and governments, if their legal framework allows that they may access any data within their jurisdiction. Most countries tend to favour access requests when it comes to documents under the control of entities within their jurisdiction. Both Kneller and the UNSW guide refer to the U.S. Patriot Act as the best known example of legislation that compels cloud vendors to grant government access to their customer data, if required.

3. Changes to national laws and regulations
Kneller reminded us that Australia will introduce new privacy laws in March 2014. Cloud providers will need to be mindful of domestic laws, and take into account changes in laws of the country hosting their data centres. Essentially, cloud providers need to constantly keep up with both country’s privacy laws and ensure their offering adheres to both, which may well be challenging, and when faced with conflicting regulations, downright impossible.

4. Varying security standards
Data stored in another country could be subject to differing security standards. For example, some countries of the European Union are part of the international agreements addressing these issues but many countries do not have well-developed online laws. A worldwide standard for data security seems highly unlikely.

5. Unfavourable contracts
Kneller points out that some cloud providers offer generic, off-the-shelf Service Level Agreements to most clients. This essentially means their solution is not likely to match all client’s needs. The UNSW guide suggests that cloud providers may have contracts with differing liability clauses. Some public Infrastructure-as-a-service providers may intentionally exclude liability for matters which should typically be their responsibility.

6. Data retrieval processes
Dudley Kneller highlights that the retrieval processes in relation to contract termination is rarely covered in detail within the contract and in some cases, poorly managed. Data needs to be stored so that it can be recovered quickly when needed, and produced instantly when required for legal reasons, such as for governmental audit.

Without strategic and comprehensive data sovereignty policies in place, and business processes that ensure compliance, corporations put themselves at risk.

Mitigating the risks
• The UNSW guide concludes that businesses need to undertake a detailed audit of their providers’ background and cloud service offering, including financial condition, infrastructure, data centre locations, security procedures, record of reliability, secure access maintenance, disaster recovery plans and insurance coverage.

• Negotiate the contract to ensure all your main concerns are addressed. Iron out the details on managing sensitive data, storage location, access by other entities, breach notification obligation, disaster recovery, monitoring and termination.

To get more tips on mitigating the risks of data sovereignty for CIOs, read the full Board and Executive Officer’s guide to Data Sovereignty and the Cloud by University of New South Wales and our blog on the interview with Dudley Kneller.

Logicalis has built its Virtual Private Data Centre (LVPDC) with a strong focus on data sovereignty. In order to meet clients’ data sovereignty requirements, Logicalis stores data in Tier 4 data centres within Australia. This is supplemented with advanced networking and security options and integrated disaster recovery and back-up options to ensure the highest standard of data protection. As well as a methodology for migrating customers and customer data onto our Virtual Private Data Centre we can share with customers our methodology for "off-boarding" customers, should they decide to move their data to another provider or into their own data centre infrastructure.

Learn more about the Logicalis Virtual Private Data Centre or contact one of our consultants.

Tags Digital Transformation, Cloud, cloud contracts, data sovereignty, cloud security

FOLLOW BLOG VIA EMAIL

Align your business strategies with the business goals