From the course: CompTIA Security+ (SY0-701) Cert Prep

Data sovereignty

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Data sovereignty

- [Instructor] In the era of cloud computing, organizations spread their data across a variety of service providers. We use infrastructure, platform, and software as a service solutions that are managed by other firms and store our data in their data centers. Cloud service providers intentionally distribute customer data in many different geographic locations. They do this as a security control to protect against regional failures. If one area experiences a massive power outage, redundant data centers in another region can pick up their slack. This geographic distribution of data does introduce an important concern. The principle of data sovereignty says that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. Now, think about the impact here. If a company in the United States collects information from a US citizen and stores it in a US data center, that data is very clearly subject to US law and immune from European Union law. If the EU tried to assert authority over that data under the general data protection regulation, the case will be thrown out of court because the EU regulators have no jurisdiction. However, if the US company backs up their data to an alternate data center in Italy, suddenly the distinction is less clear. What laws now apply to the data? Data sovereignty says that both EU and US laws would apply, and that could cause serious issues for the company. They were only attempting to protect the availability of their data in the event of a disaster, and they wound up subject to a whole new compliance regime. Security professionals working in cloud environments should pay careful attention to data sovereignty issues and take action to protect their organization against unwanted regulatory burdens. First, before deploying any new cloud service, determine where your data will be stored and what the regulatory implications of that storage will be. Second, have the provider specify the locations where the data will be stored in writing, and require that they give you advanced notice before moving data into any new jurisdiction. And third, use encryption to protect data against prying eyes. If a foreign government demands that a cloud provider give them access to your data, they won't be able to read it if you hold the decryption key. This does require that you use key management practices that deny the provider access to the key, and that you maintain the key outside of the foreign jurisdiction.

Contents