Is Data Sovereignty the answer to cloud computing risks?
The entire domain of cloud technology has grown more complex over the years even as the risk of breaches continues to increase. Complexity is increasing further with the changes in laws being brought about to cover issues of data residency and data privacy. But, is data sovereignty the answer to cloud computing risks?
The occasions of government agencies demanding that Cloud Service Providers (CSP) provide them with access to data - both of enterprises and of individuals - are increasing. Many users who are based outside the US are particularly worried that any data they store in a Data Center based in the US or with a US based CSP may be vulnerable to surveillance by US agencies.
A number of CSPs that are based outside the US are taking advantage of these doubts to suggest that domestic data centers may offer a good way to circumvent risks associated with privacy and data residency. As an example, one need only look at SAP. The German software giant announced recently that it was setting up data centers in Canada so that Canadian businesses could use SAP solutions without worrying about US agencies’ access to their data. This approach seems to be successful and
research has indicated that nearly 60% of Canadian businesses prefer to keep their data within the country.
Is this then the way data centers will develop in the future? And, more importantly, is this a correct solution? Will ‘sovereign clouds’ be the right approach to take?
CloudMask research and study do not support this. Let us see why.
To begin with, one important large industry embraced cloud computing was to put their data together, make operations more coherent and implement standard business rules. Working from a common data center would simplify workflow and create a single view of their data. If a large enterprise were to split its data into a number of different ‘sovereign clouds’ then it would end up creating silos in different countries.
With even smaller businesses having multinational operations, these silos would not be restricted to large enterprises alone. It is also difficult to visualize a situation where cloud providers would be willing
to put up data centers in every possible country.
“It is clear that a sovereign data model does not address risks associated
with data residency and surveillance by governments.”
Even if one were to keep data out of data centers in the US, agencies of the US government would still be able to get access to data these CSPs hold. In fact, the situation could be worse because while agencies are subjected to transparency and oversight laws in the US, a non-US CSP would be classified as a foreign entity and the oversight rules will be more relaxed and lesser enforceable. Insider threats remain the same whether the data is stored in the US or elsewhere. An administrator with the proper privileges could always access data no matter where it is stored.
It is, therefore, clear that a sovereign data model does not address risks associated with data residency and surveillance by governments. Any CSP is selling this as a solution has obviously not given the matter deep enough thought. Besides, if a CSP were to provide SaaS solutions from many different locations, it would end up losing cost advantages, efficiency, and agility. While one cannot ignore the risks of data disclosure and government surveillance, simply changing geographic locations of data centers is not a viable solution.
