In the opening article of this blog series we covered the importance of data sovereignty and how a sovereign Cloud can support data sovereignty as well as local laws and regulations. In this second article, we will look at how regulations around data sovereignty affect data compliance, data security and data privacy.
Data compliance and sovereignty
Data residency (the physical location of a server) is a central aspect in data sovereignty regulations. In many countries, data residency laws require organisations, operating in a particular country, to store citizen data on servers located within the country's borders. If our example company from the first part of this series, Rotterdam Runners, sells shoes to customers from Belgium and Germany, that means they must also store their data on Belgian and German servers. This makes these data residency laws a considerable challenge for multinational companies that have employees and serve customers worldwide.
Laws and regulations surrounding data residency are constantly changing and vary from country to country. To stay compliant with the latest local data governance regulations, multinational companies, such as Rotterdam Runners, need to regularly engage compliance specialists who are up to date with the legislation of the countries in which they operate. And because these laws can change in the blink of an eye, it is important for companies to be flexible enough to hold their own in today's heavily regulated but changing environment. Or as one Fortune 500 CISO believes, ‘A law can change and that can also completely change the way you do business.’1
Around 76% of multinational companies view data compliance as a key Cloud challenge.2 This sentiment is compounded by the lack of skilled and experienced data compliance staff. Half of the participants in an ISACA survey reported experiencing knowledge gaps around compliance regulations, as well as compliance frameworks and management environments. Another 46% said they currently lack knowledge of privacy-related technology.3 Addressing these challenges around data compliance will require developing new strategies and tactics.
Data security and privacy
The EU's comprehensive General Data Protection Regulation (GDG) or General Data Protection Regulation (GDPR) has inspired many countries to adopt similar data privacy rules. A key provision of the GDPR is the secure handling of personal data. The GDPR requires that security policies and procedures must be in place to ensure confidentiality, integrity and availability of personal data.4
When dealing with personal data of your customers, robust data security procedures are crucial. A data breach can lead to identity theft, and destruction of data can wipe out vital financial information and intellectual property. Restricting access to sensitive data is also a fundamental aspect of data security.
A sovereign Cloud can help your organisation implement these strict data access restrictions. Since data in a sovereign Cloud complies with local laws and regulations around data ownership and sovereignty, it is protected from the lurking eyes of foreign powers. Also, the security of sovereign Clouds must be regularly audited using an information security management system (ISMS) and be certified to a recognised industry standard. In addition, sovereign Clouds are managed by experienced providers who are well-versed in the advanced security strategies and tactics needed to protect your applications and data from the constantly evolving threats of ransomware and cyber attacks.
A common way to protect your corporate data is to apply microsegmentation with access according to the zero-trust principle. This shuts down communication between workloads unless explicitly authorised. Furthermore, a sovereign Cloud can apply encryption and even be sealed off from the outside world (air-gapped) to keep out external threats. This layered security approach of a sovereign Cloud is the best way to protect your business data and application from damage, destruction and loss.
In an effort to meet the compliance, security and privacy challenges of local data sovereignty regulations, 81% of executives from industries that are highly regulated have withdrawn all or part of their data and workloads from the Public Cloud.5 Some of these organisations have moved to a hybrid Cloud approach, while others have returned their data to their own, on-premises servers. However, there is another solution to these challenges.
Fundaments' Dutch sovereign Cloud is built on the VMware Sovereign Cloud Framework and the team of Dutch compliance and digital security specialists can fill any internal knowledge and skills gap in your organisation. The Fundaments sovereign Cloud allows you to adapt to changing Dutch and EU data legislation at lightning speed while protecting your data from sophisticated cyber threats
This series consists of four blog articles: every week we will post a new one.
- CSO, Data residency laws pushing companies toward residency as a service, January 2022
- Flexera 2022 State of the Cloud Report
- ISACA, Privacy in Practice 2022, March 2022
- NetSec.news, GDPR Security Checklist, consulted August 2022
- IDC, commissioned by VMware, Deploying the Right Data to the right Cloud in Regulated Industries, June 2021
