Data Residency Laws and Owning Your Data


Written by Lara White

In this video, Security Expert Willy Leichter talks about data residency and protecting your data.


A question we get asked a lot at CipherCloud is, “If there is a data center in my region, do I still need to protect my own data if I’m concerned about say data residency laws?” Particularly in Europe, many countries have strict laws around data residency and many of the U.S. cloud providers are starting to open data centers in Europe. So that begs the question, “Does this solve my problems?”

So let’s break down some of the issues involved here. As cloud providers open data centers across multiple regions and multiple countries with different laws, there’s really a fair question of whether your data is guaranteed to stay in one data center. And that’s actually harder than it sounds. Most cloud providers back up data or recommend that you back up your data across multiple regions. They also typically have some level of command and control. So if let’s say a U.S. cloud provider, they probably can still access that data even if it’s stored in a European data center.

Also a question to SLAs. While they may have local data centers, you really need to be certain that that data will stay exclusively within that region if your concern is around data residency. Now there’s a very controversial court ruling that’s come up recently that kind of throws a lot of this up in the air. A U.S. judge in a criminal case where the defendant had emails stored in Outlook and they were stored on a server base in Ireland, but the U.S. court said, “Microsoft can access this data in the U.S., so we consider this to be fair game and we’re going to require that Microsoft turnover this data.” That’s very problematic all around because that’s the direct violation of the European data privacy laws. But the U.S. judge said, “It’s a question of control. If you can access that data, then we’re going to require you, Microsoft, to access that data.”

Now this has been a hot topic in the news, quite controversial and ongoing. Microsoft was required by this judge and federal prosecutors to turn over the data. They have refused to do this. They have now lost their appeal, so this is going to be a messy court battle for a while. But you can see across the world, the coverage of this is focused on the fact that if you can access this data, if you have control over it, the local jurisdictions are probably going to make you turn it over even if it’s stored in a different jurisdiction. So this has a lot of implications and it underlines the argument that opening a local data center is going to guarantee that that data always resides in that location.

So let’s break this down and look a little bit more closely about the problems which our actually solving and how effective this will be. So, first of all, by having a local data center. That’s a good thing. It reduces latency, it shows more of a commitment by the cloud provider, but it does not change the issues of data residency because as we talked about before, even if there’s a local data center, there’s many ways where that data can be accessed and probably will be accessed by people outside your country, potentially violating the laws.

Now another solution or a solution that is talked about is encrypting the data at rest by the cloud provider. Again it’s the best practice. We recommend that all cloud providers do this, but it does not address the data residency laws. It just assures if someone steals that physical media, they won’t be able to access it. But as we’ve said before, the data still can be accessed by the command and control of the cloud provider by a whole range of other potential threats.

So the only effective way to really knock off all of these issues of data residency and security is to take control of this process to encrypt or tokenize the data yourself. So by adding gateway protection, it’s really an elegant way to solve these data residency issues, because you’re assuring by encrypting the data by maintaining the keys, that no one outside your region if you don’t give permission can access this data. No government agencies, no subpoenas, no criminal courts in other countries.

You’re also taking care of a whole range of other issues around potential account hijacking, data breaches, insecure APIs, malicious insiders, etc. And really by protecting the data at the gateway, you have persistent control over the data through the whole lifecycle from when it leaves your organization, wherever it goes in the cloud, regardless of where the data centers are until it returns to your control.

Now it’s not just our opinion. Many analysts agree on this. In fact, Gartner has written about this. They have specific recommendations on data residency concerns that should not be ignored. And they specifically recommend that you consider deploying encryption solutions at a gateway separate from the cloud provider. They also recommend that you carefully look at your management rights both on premise with your data and in the cloud, and this is something that’s a shared responsibility between the customer and the cloud provider. So the cloud provider does play a role in the security there. They want to assure that privileged users, administrators within the cloud provider organization cannot access your data. That means if they’ve encrypted it, they have the keys, that doesn’t cut it.

You have to separate the ownership of the keys so that they cannot access it physically. You need to manage the keys locally within your organization. You need to ensure that you’re using encryption products that are standard space, that are certified, validated, and meet the highest security requirements. And you need to have a documented process to manage those keys and also be able to revoke keys, and this brings up another issue that’s also a very hot topic now, which is digitally shredding the data.

There’s a new concept, the right to be forgotten. So if your data is in the cloud provider, you’ve encrypted it, you have the keys. If you destroy those keys, that data is gone and no longer accessible by anyone.

Now one more issue when you talk about data residency, you have to consider where are you doing business. And frankly most of our customers are global enterprises. They may be based in one region but they are connecting offices, branches, partners all around the world. Here’s an example of one of our customers based in Germany using Salesforce to connect partners in the U.S, in the U.K., Australia, South Africa. So inherently this data is going to travel. It’s going to go to multiple regions. They have sensitive personal customer information that may be subject to laws in any one of these countries. So the only way for them to solve this was to add a gateway themselves, encrypt the data, the sensitive PII before it goes it goes into Salesforce and then manage that process. So regardless of where the data goes, they are assured that they are complying with data residency and other regulations all around the world because they control that access exclusively, no one else can access the data.

Thanks for your time. If you have more questions, please go to our website. We have lots of information on our technology as well as compliance around the world;