Reliance on Data Residency Is Not Enough

Compliance    | December 2, 2015

Organizations eager to meet privacy and regulatory requirements place far too much emphasis on data residency alone. While it does matter where data is stored, geographic location is not fixed when it comes to the internet.

As organizations move their operations to the cloud, they face the complexities and increasing pressures of protecting sensitive data belonging to them and their customers. Not to mention taking into account local regulatory requirements which often limit where data can be located in order to keep it out of the hands and eyes of prying government policies such as the broad-reaching US Patriot Act.

Borders are porous.

Data leaks from one jurisdiction to another on the way to its final destination. Data is also not solely held; all those bits can be infinitely copied. While the original may reside in a sufficiently approved locale, copies of it can easily exist in unexpected locations. It doesn’t necessarily need to be a malicious act which makes a copy of that data.

Your service providers’ backup or disaster recovery strategies may inadvertently create copies in geographically dispersed data centres for service redundancy and resiliency. What if those data centres are not in a jurisdiction which meets your data residency requirements?

The truth of the matter is.

If your organization is serious about data protection, you cannot solely rely on location and local laws as a means of satisfying your responsibility to your customers to ensure their data is sufficiently protected. Data residency laws alone will not sufficiently solve the problem. They are guidelines and rules. But it isn’t feasible for an organization or their cloud service providers to build datacentres in every country in an attempt to comply with local regulatory requirements either. Even if one could, it would not prevent access to that data from other countries.

Effective data security IS applied in layers.

At a minimum, one must insist that your cloud service providers employ some form of strong encryption in addition to data locale. Organizations serious about protecting their sensitive data and meeting regulatory requirements must ensure that the data remains protected throughout its entire lifecycle.

It is important to consider technologies which render data useless to anyone but its intended recipient from the moment it leaves your organization until the moment it’s consumed. For example, encryption applied during transport as well as storage will protect sensitive information irrespective of where that data ultimately resides. Furthermore, reliable authentication can ensure that only the intended consumer will have the ability to decrypt that data.

Encrypting sensitive data throughout its entire life cycle can relieve the burden for organizations to implement all of the regulatory requirements imposed on data protection from country to country. This significantly simplifies the task of protecting sensitive data.

Encryption provides protection of your customer’s data first and foremost but also facilitates regulatory compliance as a result.