As for the three major cloud providers, they have all the
tools on hand for you to set up a data protection strategy
that complies with the core requirements of the data sover-
eignty laws you are facing. While these major providers give
you the tools, it is your responsibility to use them to protect
your data as required. This is akin to giving you a tool belt if
you were remodelling a room. You cannot remodel the room
unless you learn how to use the tools and then put them
into action.
To create a data protection strategy which supports your
data sovereignty needs, we recommend following these
nine steps:
1. Understand the applicable data residency require-
ments for your business. Be conservative, and con-
sider data residency requirements for any location
where your company operates or has a base of cus-
tomers. Consult with your legal and/or compliance
teams to review your interpretation of these
requirements.
2. Define your data assets. Take inventory of all data
assets and classify them. Identify those assets that
may contain consumer and other private citizens’
data, and any data from highly restrictive countries.
3. Ensure you have a mechanism for tagging this
data with its classification. Service providers should
support tagging and provide rules engines to help
manage such data.
4. Leverage service provider capabilities to limit
where restricted data can be located.
5. Deploy “least privileged access” controls to limit
access to these data sets.
6. Monitor access to sensitive data and log all
activity.
7. Encrypt all your data. Service providers will have
keys and other tools to perform base-level encryp-
tion. Check to determine if a specific country requires
stricter practices with certain kinds of data.
8. Develop a key scoping process. You can determine
that you need a key that protects specific data assets
or data that might touch a certain geography. That
will give you the ability to customize rules to protect
data specific to a particular country.
9. Develop a compliance monitoring plan. If your data
leaves the region, you have the ability to monitor
when it leaves, so you can manage it and ensure that
it stays in compliance.
Right now, it is a challenge to navigate all the rules individ-
ual countries are developing to ensure their own citizens’
data is being protected to the fullest extent. There are no
universal, global standards around data sovereignty on the
horizon, and regulations will be getting more stringent.
While having one set of rules across all countries would sim-
plify moving to the cloud, nations have their own interests
at heart. The challenge will be for them to drop trade barri-
ers, while protecting their national interests.
Developing a structured approach to data protection,
including classification, tagging, encryption and monitor-
ing, makes it easier to address data sovereignty needs.
Ongoing diligence about which regulations apply to your
customer base and operating environment is essential. In
addition, your team must understand the tools and capabil-
ities made available by your cloud service provider to help
meet your needs. But with our nine-step approach, you can
adjust your core data protection strategy to meet any
future changes in data sovereignty rules. And once the fear,
uncertainty and doubt about data sovereignty are removed,
your company can accelerate its cloud adoption and start to
realize all the value of cloud’s capabilities.
SPRING 2019 | THE DOPPLER | 69