C-Suite and the data centre: The questions to ask about data sovereignty and custody

As enterprises consider a broader range of IT deployment options, many of them intrinsically global cloud applications, issues such as data sovereignty (the question of which country's laws govern your data) and data custody (who controls your data) have increasingly come into play.

It's been more than a year now since former NSA contractor Edward Snowden released a trove of documents revealing the large-scale collection, analysis, and storage of personal data on US citizens and foreigners. Much of that personal data came out of the data centres of telecommunications, Internet, and cloud service providers. In that time, the topics of "data sovereignty" and "data custody" have escalated from the corner of the IT department to centre stage in the boardroom.

The importance of where and who

When your IT infrastructure is located on your premises or colocated with a data centre provider, there's no question where your data is. You have the key to the cabinet; the answer to the question, "who has custody?" Is easy, it's you. But when any of your data applications or infrastructure are in the cloud it can be difficult or impossible to say where in the world your data resides, much less where it has been. The amount of control you have over your data depends on the laws of the country where it is, and the policies of the cloud service provider.

Read more: Physical location of data will be irrelevant in post-Snowden age

Whether your focus as an enterprise executive is on growing the business, or keeping it secure, or managing IT, it is imperative to understand data sovereignty and data custody. If you don't know where your data lives or if you don't know who controls it, you're putting the security of you and your customers' data at risk.

If you don't know where the servers that hold your data are, you don't know whose rules you might be beholden to. Similarly if you don't know (or can't control) whose rules you might be beholden to, you can't know whether the jurisdictional laws in that location are in sync with your corporate policies (and your own sovereign's data laws). You're risking non-compliance, or worse.

Yet if your data is in the typical public cloud, the likelihood is small that you even know where your data is, much less have control of it.

Make a decision

To make the most profitable decision on data sovereignty and data custody, enterprise executives have to keep the need to see and control data at the forefront of their minds. Execs need to remember that what matters is where your data is and who controls it. Given these facts, addressing critical data sovereignty and data custody issues is about making fully informed business decisions.

Decide:

  • Which locations you want IT infrastructure in, and which you don't
  • Which infrastructure model best suits both your needs and the data sovereignty and data custody particulars of the location
  • Which security processes and due diligence procedures need to be put in place

When you can check all those boxes, you can be confident in the security of your enterprise data, and your customers' data. You'll know, and be able to control, whose rules you are beholden to. With full visibility and control into where your data is and who has access to it, you can confidently make the best IT infrastructure decisions for the business.

Read more: How to take control of your cloud

It is only through a full understanding of data sovereignty and data custody that informed IT infrastructure decisions can be made to the benefit and security of the enterprise and its data.

Bob Butler is the chief security officer at IO.