The metaphor of the “Iron Curtain” was used to characterize Easter European BLOC under the Soviet Union (USSR) as a collection of satellite states disparate from the West. Akin to this idea is a “data curtain,” that stands to separate data exchange in the same way among nation-states throughout the world. New data sovereignty laws are controlling data and limiting data exchange between nations.
In the age of cloud computing and a growing reliance on omnipresent data, at any time, from anywhere around the globe, this development could be significant.
A New Digital Curtain Descends
Data sovereignty involves the ability to control what occurs within defined, internationally recognized borders. Global, interconnected networks transcend physical boundaries with data stored, processed, and accessed with limited respect to lines on a map.
Governments are expanding the scope of national security-related information, traditionally viewed as classified or state secret, to risks that impact critical economics, infrastructure, or citizens’ privacy. Gartner recently predicted that by 2024, modern data privacy laws would cover approximately 75% of the global population. It is reasonable to assume that many countries will extend elements of data sovereignty for privacy-related information if they have not already done so.
Prevailing data sovereignty laws in specific countries purportedly stand as a curtain between data governed by new policies in specific nations, and others external to them. Such laws and policies include the following:
- Data Security Law of the People’s Republic of China.
- A proposed French data security law effectively precluding the use of any cloud-based infrastructure not owned, controlled, or managed by France-based resources for approximately 600 “vital” or “essential service” companies.
- National data governance initial regulations for the Kingdom of Saudi Arabia establishing a classification regime as a predicate for the use of cloud-based environments.
- Resolution No. 2 of 2017, approving the policies document on data classification, dissemination, exchange, and protection in the Emirate of Dubai.
- German data sovereign cloud initiative, which will be run in the country by T-Systems, a subsidiary of Deutsche Telekom.
Curtains in the Cloud
The extraordinary growth of cloud infrastructure and SaaS offerings evince the tremendous value they deliver. Enterprises can access the latest technologies, driven by levels of spending in research and development and capital investment, that they could never achieve on their own. These laws and policies will have a pronounced effect on cloud computing, as it is common ground for data transactions and data exchanges worldwide.
Early in cloud adoption, providers marketed offerings without regard to the physical location of their infrastructure or individuals that managed these environments. Some cloud companies touted the benefits of organizations being able to access infrastructure and software without concern for geography.
This has changed. With providers deploying infrastructure into major markets, they increasingly look to partner with governments where economics might otherwise have precluded the investment. Regardless of whether these new environments are being deployed based on market forces or government partnership, they share a common thread of controlling what data stays in the country and what data can cross borders.
Data Classification as Predicate
Developing data sovereignty regimes include specific definitions of the types of information that must remain within the country and what can be moved into local cloud environments. They also specify conditions upon which data can flow (or be accessed) across borders.
Data in modern enterprises is created and consumed across a range of employees and lines of business and systems. Aside from the specific requirements associated with statutory or regulatory regimes, data classification provides many additional benefits. Its main objective is to understand how this covered information was originated, consumed, accessed, or shared so it can be appropriately managed. It is useful in most data environments. It helps retain information subject to book and record retention requirements. It supports preservation and discovery of data subject to litigation or governmental inquiries. It helps understand and map “golden sources” and “flows” of critical information. It helps support data integrity requirements and the introduction of automation throughout core processes and practices.
Most importantly, data classification is a predicate for using cloud environments in many jurisdictions and helps weave a new fabric for any data curtain that could potentially block interaction between global users, allowing adequate data flow. The scope of such work can seem overwhelming, but by breaking down the necessary elements, it provides a manageable, transparent, and repeatable approach.
Weaving a New Fabric for a New Data Curtain in an Age of Data Sovereignty
Data sovereignty requirements are likely to grow and present new global challenges for organizations. However, these requirements need not preclude enterprises from leveraging the tremendous capabilities available in cloud-based infrastructure and software.
While governments are providing avenues for using cloud environments, many will require data classification. Doing so will ensure data is appropriately accessed, stored, and shared. With the right processes and technologies, organizations can achieve their objectives while satisfying these new obligations — and avoiding getting caught in the curtain.