Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Sovereign cloud: Protecting data in a complex regulatory environment | #malware | #ransomware | #hacking | #aihp

This is a contributed piece by Neil Stobart, VP of Global System Engineering for Cloudian.

With data volumes increasing, it’s now common for data to be shared and stored across multiple jurisdictions. Though this can accelerate innovation and improve how we work, it also brings fresh concerns surrounding data sovereignty – a topic that’s come into the spotlight as we’ve become more aware of how organisations collect and store customer data.

In layman’s terms, data sovereignty is a legal principle which says that data is subject to the laws of the country in which it’s stored. It should be a key consideration for organisations that use the public cloud, as hyperscalers’ data centres can be located anywhere in the world.

A sovereign cloud, on the other hand, is cloud infrastructure that’s architected and built to comply with local laws on data privacy, access, and control – and to avoid any conflicting regulatory demands. In practice, this means storing data in the country it was collected or using ‘virtual data spaces’ to enable cross-border data sovereignty.

Building a sovereign cloud can be an effective way for organisations to comply with often conflicting data regulations.

Which data protection regulations apply to your organisation?

When an organisation operates across borders, complying with ever-changing data privacy regulations can prove challenging, as demonstrated by the current regulatory landscape in the UK, EU, and US.

  1. Schrems II (EU and UK)

Until mid-2020, the US and EU participated in a joint Privacy Shield Agreement. This allowed US companies to receive personal data from the EU if they adhered to EU standards on data protection and privacy. However, in July 2020, the Court of Justice of the European Union invalidated this agreement due to concerns about surveillance by US law enforcement agencies. This landmark ruling is known as Schrems II.

Schrems II requires EU companies to conduct individual assessments of each data transfer to a non-EU country. Although the UK has left the EU, Schrems II currently still applies in this jurisdiction. This compels UK companies to find alternative safeguards to the invalidated Data Protection Shield to protect data flows between the UK and US.

  1. GDPR (EU) and The DPA 2018 (UK)

The EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) 2018 are both designed to ensure transparency and security around customer data. As a result, these regulations have implications for data sovereignty.

For example, under GDPR cloud providers must commit to only disclosing personal data based on legal requests made under EU law. For US-based hyperscalers, this creates a clear conflict with the US CLOUD Act (see below). Although hyperscalers can assure customers that their data will be stored within their chosen jurisdiction, they can’t guarantee complete protection from US law enforcement.

  1. The CLOUD Act (USA)

In 2018, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act came into force. This legislation compels US cloud providers to hand over data to government or law enforcement agencies if requested via a warrant, subpoena, or court order – even if the data in question is stored in another country.

  1. The COPO Act 2019 (UK) and Article 49 of GDPR (EU)

It’s worth noting that the UK and EU both have equivalent legislation to the CLOUD Act in place. In the UK, this is the Crime (Overseas Production Orders) (COPO) Act 2019, and in the EU it’s Article 49 of GDPR.

The UK’s COPO Act contains similar principles to the CLOUD Act. However, it goes even further by enabling authorities to compel any cloud provider operating outside the UK to release data to them – provided that the UK has signed a Designated International Cooperation Agreement (DICA) with the country in question.

It’s likely more countries will enact similar legislation, with international organisations potentially having to juggle conflicting legal obligations.

  1. GAIA-X (EU)

Currently in its implementation phase, the GAIA-X Framework has been developed by businesses, government officials, and scientists across Europe. It provides the foundation for a networked system that links many cloud services providers together, in which data is decentralised and federated using next-generation infrastructure and security standards.

Implementing sovereign cloud

Given this complex regulatory landscape, it’s no surprise that organisations’ interest in sovereign cloud is growing. There are two routes available to them – either turning to a regional storage provider that operates within specific national borders or building their own sovereign cloud using on-premises private cloud storage. However, this doesn’t mean organisations need to give up on hyperscalers. Often a hybrid, multi-cloud strategy – combining private and public clouds – is the best approach. This way, organisations can leverage the right cloud for the right workload and take advantage of the breadth of services offered by different cloud providers.

Click Here For The Original Source.


National Cyber Security