Data sovereignty has become a hot topic – especially in Europe. In essence, it relates to the need for a country to apply legislation and governance structures to data stored in its own jurisdiction.
As the global cloud market developed, the issue emerged with use of cloud provider infrastructure and data centres not located in the nation in which a cloud customer operates.
The US Cloud Act, enacted in 2018, provided a baseline to address this pressing issue. Hyperscalers rose to the challenge to meet their customers’ needs by expanding or forming partnerships to provide local datacenter services as a seamless part of their solution. Did this solve the problem? Not necessarily.
Let’s look more closely at what data sovereignty means, and what enterprises need to consider before making – or continuing – their journey to cloud.
Data classification
The reality is that these days, most organisations’ choice of cloud will be hybrid or multi-cloud. In the context of a maturing cloud marketplace, it’s more critical than ever to make the right cloud choices based on a clear understanding of your business needs and the nature – and sensitivity – of your data.
Before migrating data to cloud, every organisation first needs to carry out a rigorous data classification exercise. This means knowing what your data is, where it’s located and its level of sensitivity, so that you can decide which type of cloud is appropriate for each data set (always remembering that if data of different levels of sensitivity is mixed, then the entirety must be treated at the highest level of security).
This data classification process is fundamental to meeting the requirements of data privacy regulations. Questions include: what is my data and which data will I monetise? Where should I store my data? How should I control, protect and exchange my data? And where should I process my data – at the edge, in a private cloud, in a public cloud?
Four dimensions of data sovereignty
Having conducted a data classification, there are then four dimensions of data sovereignty to consider:
- Ensuring it’s in a local data centre (within the correct jurisdiction), is a necessary step.
- What kind of platform ecosystem holds the data? Are you sharing an IP address with another organisation? Could this compromise your security?
- What are the arrangements for data exchange and usage? Who has access to it? And how is it shared?
- From an operational point of view, who manages the data and the related infrastructure on which it is stored?
In response to these questions, data sovereignty encompasses data protection in the form of classic encryption, key and access management. It means that data can only be exchanged, accessed and used by authorised parties. And it demands complete auditability and traceability of data.
Bare metal is an integral piece of the strategy
Here’s where bare metal has a key role to play as the only practical solution for certain workloads that require segregation and a high level of access. This is because bare metal provides a physical server dedicated to a single tenant and optimised for specific performance, security and reliability requirements. We have already seen examples of this combination of hybrid public/private/bare metal cloud environments implemented in government, healthcare and finance.
European jurisdictions require tight data governance and sovereignty controls. Levels of protection and segregation must be assigned and operated precisely.
Enabling the data economy
By accessing the full spectrum of cloud environments seamlessly, organisations can blend them to create the most efficient, effective, secure and compliant cloud environment that gives them complete data sovereignty where required. They can select different types of cloud, with gradations of data access and segregation depending on exact need. For example, they can specify whether encryption and key/access management is only on the cloud provider’s side, or on both the provider and customer sides.
To succeed, organisations must assess their data landscape and work with partners who understand what they need and can support an optimised cloud strategy.
What’s clear is that bare metal is now a key consideration for any data-driven business. As the new data economy evolves, we expect to see growing demand for bare metal services as a critical enabler to underpin data sovereignty.