Data Residency (or Data Sovereignty) pertains to where data is being stored from a geographical standpoint. With cloud services, this can mean a location outside the country of origin. The concept of data residency infers that data storage is subject to the laws in the country within which it is held. This means the data can be subject to the jurisdiction of more than one country. Typically, data residency rules apply when a business uses a foreign cloud service or foreign hosted SaaS provider.
As an example, a local business or retailer may be a branch office of a company based overseas. If head office handles all billing, data is being sent (transferred) and stored overseas. Examples of data could include credit history, personal information and even health records. Data storage occurs overseas for a variety of reasons, including ease of access to cloud services, lower transaction costs, ease of data back up, and secure storage.
Why Data Residency is an issue
Data Residency matters for the following reasons:
- Complying with data privacy laws for PII & PHI
- Data sovereignty requirements (such as with health data)
- Export laws encompassing data such as ITAR
- General data protection and security
- Data breach notifications
- Contractual obligations such as when handling government data
Data Residency and privacy can only be assured by using local (not international) hosted services or data centres.
In many countries, the personal, sensitive data of residents must be managed by residents who have the appropriate level of security access, are within the countries borders and do so in accordance with the local laws.
Meeting Data Residency Requirements
Organizations can efficiently meet Data Residency requirements when utilizing cloud and SaaS applications by securing data before it is transmitted to the end service. Typical Data Residency requirements can be met by adopting the following practices:
- Keep data physically stored within country of origin borders and not overseas.
- Maintain local legal jurisdiction over data.
- Confinement of all data storage is restricted to onshore data centres.
- Security protocols and systems are in line with local jurisdiction requirements.
- Adopt a local domicile in all aspects of operation and access to the cloud system.
- Use a cloud encryption or tokenization gateway hosted on premises commissioned as a Cloud Access Security Broker (CASB) to secure application data prior to transmission overseas.
- Maintain sole access to data via locally stored encryption keys or token vaults.
- Utilize encryption and/or tokenization to reduce risk of data becoming subject to external jurisdictions.
It's important to note that when data moves offshore, it is no longer tightly controlled. This decoupling of data control makes data subject to the laws and practices of a foreign country and/or corporation.
StratoKey assists organizations with solutions for data residency, privacy, and security. These solutions are provided by establishing data infrastructure on premises (or in private cloud environments), whilst providing encryption or tokenization of the data when uploaded into offshore SaaS or cloud hosted services. Such examples may include data within Service Management products such as ServiceNow, CRMs such as Salesforce, or ERP systems such as NetSuite. This way, data remains stored within local services (at the customer hosted environment) and is substituted and transmitted into any cloud based service, with a secured format such as a token, or encryption. This is achieved whilst keeping encryption keys and token vaults resident in the client's country.
Since 2012, StratoKey has assisted clients in meeting data residency, privacy and security needs across a range of verticals such as healthcare, banking, financial services, manufacturing, cybersecurity, education, and technology sectors. If you would like to know more about StratoKey, please contact us or download the StratoKey White Paper.
1. [https://www.ag.gov.au/consultations/pages/serious-data-breach-notification.aspx (last accessed 06/17/2019)]
2. [https://www.governmentnews.com.au/rules-for-protecting-citizens-personal-data/ (last accessed 06/17/2019)]