ra2 studio - Fotolia

Cloud storage data residency: How to achieve compliance

There’s a conflict between cloud storage and the need to comply with local laws and regulations. We look at cloud data location, data residency, data sovereignty and data adequacy

Cloud storage is the ultimate in technology outsourcing. Business units and IT teams don’t need to know how the technology works, or even where it is: to set up a cloud service, they just need a browser and credit card.

But this simplicity creates regulatory and security concerns, especially when it comes to cloud storage. The very flexibility of the cloud – where hardware can be anywhere in the world – makes it hard to comply with national laws that are by their nature based on a fixed geography.

The question of where data is physically stored – “data residency” – cuts across a range of data privacy laws, regulations, and even organisations’ own terms and conditions.

So, the larger cloud providers give their customers at least some control over where data is stored. Other providers sell services tailored to the needs of highly regulated industries, such as healthcare or financial services.

In the cloud, data can be stored anywhere. The concept behind cloud computing is that the provider can allocate workloads and resources to fit their own technical and practical requirements. This allows for the cloud’s economies of scale. It also creates resilience. Cloud providers host data in multiple locations to ensure availability.

Indeed, a reason for firms to move data to the cloud is so it is physically separate from their own infrastructure. This is increasingly important, to ensure business continuity and to deal with threats such as ransomware.

However, it is no longer the case that cloud providers simply put customers’ data anywhere they like. The growth of cloud computing and especially of the big three providers – AWS, Microsoft Azure, and Google Cloud Platform – allows cloud services to be large enough to offer customers some control over data residency without compromising economics or data protection.

Availability zones

AWS, for example, offers availability zones (AZs) in North America, South America, EMEA and Asia Pacific. In Europe, AWS has regions in Ireland, the UK (London), Frankfurt, Paris and Stockholm. Each region has three AZs.

Microsoft’s approach is similar, with Azure regions and geographies. These, Microsoft says, “define disaster recovery and data residency boundaries” for Azure. Its availability zones are physically separate datacentres within regions.

Google Cloud’s platform offers regions and zones, but the cloud service also provides highly detailed information on technical capabilities in each zone. For storage, all regions and zones offer local SSDs, for example. Not all offer GPUs for GPU-accelerated tasks.

The picture is slightly more complicated when it comes to buying cloud services through third parties where an application could be built on top of a public cloud provider’s services. This could be a software-as-a-service (SaaS) application, a collaboration tool or even data archiving.

In this case, it is the third-party service, not the hyperscaler, which decides where data is stored. So, customers need to check the data residency terms of the service they are buying, both in normal operations, and to determine what would happen in the event of an outage.

Larger businesses, especially, will want to do their own due diligence for where data is stored, says Lee Sustar, a principal analyst at Forrester who leads cloud research. “You need to be prepared to validate that independently,” he says. “You can’t just rely on a set of generic documents.”

And, he points out, cloud computing is not static. The technology continues to evolve, with techniques such as object storage sharding dividing up data in new ways, and potentially bringing its own regulatory challenges.

Data residency and sovereignty regulations

Data residency and data sovereignty are increasingly governed by local laws. There is an increasing push towards data sovereignty, in part because of supply chain and security concerns.

As Mathieu Gorge, CEO at compliance experts Vigitrust, points out, firms and governments alike are increasingly concerned about geopolitical risk. Firms also need to be aware of data adequacy requirements if they intend to move data across borders.

This could come into play if they move between hyperscaler regions and AZs, or change SaaS providers. “There is adequacy between the UK and EU, but you are still relying on clauses in the contract to demonstrate that adequacy,” he cautions.

Meanwhile, the challenge of data residency is becoming more complicated as more countries roll out data sovereignty regulations.

More on compliance and storage

The EU’s GDPR does not actually include stipulations on data residency, relying instead on data adequacy. The UK’s post-Brexit approach follows that of GDPR.

But the growth local of data privacy laws is increasingly linked to more localised, or even nationalistic, views of IT resources, and specific regulations and laws can also set out data residency requirements.

Even in the EU, individual countries are also free to modify their data privacy laws. Germany’s Bundesdatenschutzgesetz, or Federal Data Protection, is an example.

Outside the EU, new data protection laws in Russia and India are likely to impact firms doing business there, and could require them to store or process data in localised regions or AZs. This trend looks likely to continue. Research by the United Nations found that 130 countries now have data privacy laws.

Industry-specific regulations can also apply. The US HIPAA health data law and the international PCI-DSS payment card regulation both set policies around data residency, for example. IT departments need to be aware of these, and ensure that cloud storage is compliant.

Transparency and service level agreements

However, as data compliance experts point out, it is one thing to understand local laws and practices but quite another to know exactly where all data is across all applications.

If a firm has a chief data officer, this assurance will be part of their role, but organisations that buy cloud services need to ensure they review data location rules for each service and ensure service level agreements are clear about where a service keeps data. That should apply to business-as-usual and emergency scenarios, and how that can be audited.

This applies to any service that moves personal data, whether it is a simple cloud utility or an enterprise-wide system.

Organisations also need to monitor the changing regulatory and legal landscape, with a proliferation of local laws.  “I don’t see anything that will stop that,” says Forrester’s Sustar. “It is part of a broader trend of economic nationalism.”

Next Steps

Google settlement heightens focus on data practices

Best practices for cloud storage migration

Read more on Cloud storage