Data Sovereignty: Balancing Residency Requirements and Access Rights
Global organizations – and the data they collect and use on a daily basis – exist today both within and beyond the traditional physical boundaries of countries. They may have cloud infrastructure that spans the world, but local laws and regulations can still have a big impact on how data needs to be stored and accessed, even if it’s in the cloud.
Data sovereignty is the idea that organizations need to consider the local laws in the region or country in which data is collected. While data sovereignty has grown in importance thanks to regulations like the General Data Protection Regulation (GDRP), companies have had to make considerations regarding data storage and usage well before that. The issue, however, has grown more complex in recent years with increasing regulation and other compliance events like sanctions, as well as macro trends like the continued move to the cloud.
Companies not only have to think about where their data is being stored. They also need an easy way to manage access to data on a region-specific basis and quickly pull audit logs to show compliance with various local regulations and laws.
A More Connected World … and a More Disparate One
Things used to be simpler in an on-premises-only world. Sure, you might have multiple operations in different countries. But for each new operation, you would set up new on-premises infrastructure, and your data would be siloed in that on-premises location in the country you were operating in.
But with modernization efforts and the move to cloud-native SaaS solutions, things have grown more complex for organizations. You might have enterprise-wide environments and infrastructure where data, including keys and other important credentials, are stored. Now you have to work with your SaaS vendors and cloud providers to determine what data you’re storing, where you’re storing it and who has access to those keys and credentials.
Additionally, as I mentioned above, there are now strict data protection regulations that must be complied with. GDPR is the biggest one, requiring any organizations operating in the European Union (EU) to follow specific rules when processing the personal data of EU residents. Adopted in 2016, GDPR became the inspiration for several other related regulations in other countries and states, such as the California Consumer Privacy Act (CCPA). As more countries introduce their own flavors of data privacy regulations, it becomes more challenging for organizations to ensure they are in compliance with each local law across their operations.
Beyond that, geopolitical turmoil has also brought data sovereignty to the forefront of organizations’ priority lists as new sanctions require them to quickly stop doing business and processing data in a country where they may have formerly had operations or customers. While that may have once been as simple as a bank closing its regional branch and locking the doors, that bank now has to think about all of the customers in that region who have access to their banking app, as well as all the employees who have access to company resources. How do you quickly revoke access if you need to and prove that you’re no longer operating in sanctioned areas?
Data sovereignty is critical to consider particularly if your organization is:
- Expanding into a new country or region.
- Merging with or acquiring a company that operates in a new country or region.
- Undergoing digital transformation efforts moving you from on-premises infrastructure into the cloud (or multiple clouds).
- Impacted by geopolitical sanctions that require you to stop doing business in a certain country or region.
Granular Access Policies
The challenge many organizations operating in multiple countries face is that they need to balance these data sovereignty requirements with the nature of their modern businesses, in which they’re often using centralized SaaS solutions for tasks like storing secrets, credentials and keys. These centralized solutions help increase operational efficiency for security teams, but organizations still have to ensure they are meeting the requirements of data sovereignty regulations.
Let’s take a look at an example. You’re a company that operates across Europe, including France and Germany. You use a centralized vault to secure your secrets (keys, credentials and more), and you have human users and machine identities that need to access the data in country-specific infrastructure using those secrets. But you need to ensure that France’s keys (and the data they can access) aren’t being granted to accounts in Germany, or vice versa, to remain in compliance with data sovereignty regulations.
Since you’re already using a modern approach for centralized secrets management and non-human access, consider granular access control of your secrets. Similar to role-based access control (RBAC), with these types of controls, you can set up location-based access policies that ensure that those who need access to the data (and only those who need access, based on that region’s laws and regulations) have access. That way you can satisfy compliance requirements while still enjoying the efficiency benefits of using a centralized solution that grants you visibility of your secrets across all of your environments.
Kurt Sand is general manager of DevSecOps at CyberArk.