The Doppler Quarterly Spring 2019 - Page 71

As for the three major cloud providers, they have all the tools on hand for you to set up a data protection strategy that complies with the core requirements of the data sover- eignty laws you are facing. While these major providers give you the tools, it is your responsibility to use them to protect your data as required. This is akin to giving you a tool belt if you were remodelling a room. You cannot remodel the room unless you learn how to use the tools and then put them into action. To create a data protection strategy which supports your data sovereignty needs, we recommend following these nine steps: 1. Understand the applicable data residency require- ments for your business. Be conservative, and con- sider data residency requirements for any location where your company operates or has a base of cus- tomers. Consult with your legal and/or compliance teams to review your interpretation of these requirements. 2. Define your data assets. Take inventory of all data assets and classify them. Identify those assets that may contain consumer and other private citizens’ data, and any data from highly restrictive countries. 3. Ensure you have a mechanism for tagging this data with its classification. Service providers should support tagging and provide rules engines to help manage such data. 4. Leverage service provider capabilities to limit where restricted data can be located. 5. Deploy “least privileged access” controls to limit access to these data sets. 6. Monitor access to sensitive data and log all activity. 7. Encrypt all your data. Service providers will have keys and other tools to perform base-level encryp- tion. Check to determine if a specific country requires stricter practices with certain kinds of data. 8. Develop a key scoping process. You can determine that you need a key that protects specific data assets or data that might touch a certain geography. That will give you the ability to customize rules to protect data specific to a particular country. 9. Develop a compliance monitoring plan. If your data leaves the region, you have the ability to monitor when it leaves, so you can manage it and ensure that it stays in compliance. Right now, it is a challenge to navigate all the rules individ- ual countries are developing to ensure their own citizens’ data is being protected to the fullest extent. There are no universal, global standards around data sovereignty on the horizon, and regulations will be getting more stringent. While having one set of rules across all countries would sim- plify moving to the cloud, nations have their own interests at heart. The challenge will be for them to drop trade barri- ers, while protecting their national interests. Developing a structured approach to data protection, including classification, tagging, encryption and monitor- ing, makes it easier to address data sovereignty needs. Ongoing diligence about which regulations apply to your customer base and operating environment is essential. In addition, your team must understand the tools and capabil- ities made available by your cloud service provider to help meet your needs. But with our nine-step approach, you can adjust your core data protection strategy to meet any future changes in data sovereignty rules. And once the fear, uncertainty and doubt about data sovereignty are removed, your company can accelerate its cloud adoption and start to realize all the value of cloud’s capabilities. SPRING 2019 | THE DOPPLER | 69