Most IT leaders now accept that running distributed workloads across multiple clouds, on-premises and at the edge is part of their immediate and long-term future.
And they recognise that this approach will require nuanced decision-making about where data and applications should sit, as well as the service, operations and tooling to enable and support it.
However, just as data is flowing freely to power digitalisation, data sovereignty regulations are tightening.
Organisations must take account of this and plan for adapting their infrastructure and operations in line with how they use and manage data, while also complying with laws and regulations that differ from region to region.
In our recent global research study, 91% of business and IT leaders said improving data security and data sovereignty was a likely technical reason for upgrading their IT and network infrastructure.
So, what do organisations need to know about data sovereignty before they upgrade their infrastructure?
What data sovereignty is and what it means for your organisation
Agreeing what ‘data sovereignty’ means can be complex because there isn’t one generally agreed definition, although ‘the extent to which data is subject to the laws of a country, no matter where it is stored’ is a useful summary.
This covers the fact that some countries mandate that data and cloud services remain off-limits to foreign actors, be they companies or governments. Many require that employees and companies who manage and monitor cloud resources must also be citizens of the home country and, in some cases, have a certain level of security vetting.
Some countries require that key data relating to their citizens and governmental processes be stored and / or processed within their borders. Some prohibit data transfer across borders even, in some cases, if the origination point and destination are both located in-country.
Already, at least 75% of all countries have implemented some form of regulation around data sovereignty / localisation1, so compliance is an increasingly important issue for organisations. This brings significant implications for infrastructure. Will this mean organisations have to revert to building standalone clouds for every jurisdiction?
Sovereign cloud is a hot topic for a reason
Increasingly, organisations are getting creative and turning data security on its head, flipping it from being a problem into a business opportunity by differentiating their commercial offer. Building an infrastructure that can operate efficiently whatever the data sovereignty and security regulations means organisations can meet detailed compliance requirements increasingly specified in procurement processes. As a result, taking a proactive approach to sovereign data can boost competitiveness across many industry sectors.
Frequently, organisations go on an evolutionary journey from standard public cloud, to trusted cloud (where the provider ensures compliance with local and international laws when processing individual data), before moving finally to a controlled cloud (where an organisation uses a trusted third-party supplier to manage it for them).
However, even in a controlled cloud where the data is encrypted, metadata that can be viewed from an administrator console on a public cloud platform could still hold proprietary information that contravenes data sovereignty rules.
To protect against this, some organisations go further, adopting a fully standalone sovereign cloud that keeps all data and metadata on sovereign soil and prevents foreign access to data under any circumstance. It provides a trusted environment for storing and processing data that can never be transferred across borders.
Yes, this is secure and meets even the most robust data sovereignty requirements. However, it can get expensive in terms of cost and resource since it takes a round-the-clock team to run each area – and once the costs are multiplied across every operating region, the sums involved become astronomical. What’s more, standalone sovereign clouds are unlikely to be able to tap into the global scale and speed of innovation that’s available to public cloud, holding organisations back.
Is it possible to have the best of both worlds – a cost-effective, flexible, innovative cloud infrastructure that can also comply with a wide variety of data sovereignty regulations?
Managed distributed cloud and cloud-centric network services can deliver this balance
A distributed cloud is an architecture where multiple clouds are used to meet compliance needs, performance requirements, or support edge computing while being centrally managed by a trusted partner working directly with the public cloud provider. At its core, a distributed cloud service is one that runs in multiple locations – on the provider’s infrastructure, in the customer’s data centre or edge, in another cloud provider’s data centre, or on third-party or colocated hardware.
To power this solution from both a commercial and operationally efficient perspective, IT leaders need to ensure that their network infrastructure provides compatibility with other cloud infrastructures i.e., make sure it’s cloud centric, provides interoperability, and smooths the path for data exchange in a way that doesn’t lead to excessive egress and bandwidth charges or resource-heavy API integration.
So, when data sovereignty regulations state that data can’t be moved to a public cloud provider, a managed distributed cloud can effectively be moved to the data. This then provides compliance with all governance and regulatory mandates and means data can be processed efficiently with the minimum amount of latency. It’s a win-win.
Get guidance on what to prioritise in your infrastructure evolution
As organisations face immense change in data security, privacy and access, their infrastructure needs to be ready.
To find out what this means for your organisation’s infrastructure development priorities, download our whitepaper ‘The future of infrastructure and connectivity in a cloud-centric world’.
1 McKinsey & Company (20227) Data localization and new competitive opportunities.