With the advent of SaaS, cloud and hosted services data sovereignty issues have become more prevalent. With the distributed architecture of the cloud, where application
data resides may not be known to the end user. Cloud and SaaS providers may host data in technically efficient locations or locations that make the most commercial sense.
Unfortunately, this location may well not be in the country of residence of the user. The distributed nature of the infrastructure driving these services means that the
data hosted may fall under the laws of a foreign government.
Applications (and your data) may not be hosted where you think
Data hosted within distributed cloud, SaaS and hosted services may not be stored in locations obvious to users. For technical reasons the data may well be stored in a different
jurisdiction or country to the provider. Data hosted in this distributed computing model falls under the laws of the country where said data resides. Unfortunately, this is
not compatible with laws surrounding storage of personally identifiable information in many jurisdictions. What's more, the jurisdiction where your data could be stored, may have
much less stringent data privacy laws than your own jurisdiction. This leaves users of these services at the mercy of the provider.
Data Sovereignty Questions
Where is the data stored: Finding out where data is stored is not always obvious for the current generation of cloud and SaaS hosted services. Who makes the decision
on the geographical location of your data? Does your service provider have a mandate to request your consent to move your data interstate or even internationally?
The world of distributed infrastructure running cloud services means that it is difficult to be sure as to the sovereignty of your data when it resides in the hands of a third party.
Local laws: With distributed computing such as the cloud, data hosted by SaaS applications can land in weird and
wonderful places. Whilst this may well keep the costs down, and make access fast, it leaves user's data vulnerable to foreign governments and their associated laws.
Data privacy: Do local laws stipulate data retention mandates? When you move your data off the hosted service, is there a secure
destruction policy? What security controls are in place to protect your data from malicious actors?
Who owns your data: Organizations may well not be aware of the ownership rights over data stored in different sovereign nations.
Data that was protected by strong privacy laws, may well not be protected in a foreign jurisdiction. This can make legal challenges to data access un-defendable.
Is the data secure: When dealing with third parties, it can be difficult to truly know the security of the data and services they
control. An example of a large data breach at a high profile file hosting service illustrates the issue. The popular service allowed unfettered access to anyone's
data utilizing any password for a period of 4 hours. It is impossible to know how secure one's data is, when in the control of a third party.
All it takes is a simple error to expose confidential data to a data breach.
Avoid the Cloud and All Third Parties?
Clearly, avoiding the cloud is not practical. Business productivity, cost, services and superior platforms rule today's data landscape. The only way to ensure that your data is
safe and under your control is to encrypt the data before it lands in the hands of third parties. Without encryption, you are at the complicated mercy of too many factors to simply ignore.
Encryption is the simplest form of risk mitigation and the safest mechanism to ensure that you always control access to your data.