In all my cloud consultancy engagements the area I get asked most about is data sovereignty and security, usually something along the lines of: "I don't want some other government to get their hands on my data. Is it really safe in the public cloud?". Organisations are understandably nervous about seemingly 'losing control' of their data if they move to the cloud, and concern around this subject is less about me telling customers that it's 'okay' and more about explaining how this all works so that they can make their own decision. So, if you’re ready to take that leap into the unknown and move some data to the public cloud, what are the risks?
All the main cloud platforms will allow us to associate our data with a geographical region. Assuming you select the right region, there is no difference in applicable legislation whether it sits on your own SAN or in the cloud. The real question here is whether you have less control over your data if it is on a public cloud platform as opposed to an on-premises or private cloud solution. The answer is no!
Some may argue that Microsoft and Amazon are US companies, and that US countries may try to use this as an excuse to access data in a non-US location. The same could be said about any service provider that is a UK offshoot or acquisition of a US company, and that has never been flagged as an issue despite mirroring the circumstances. It is still UK data that resides in the UK, even if it's on a platform run by a US vendor. In the context of GDPR and a general upswing in interest in data privacy issues, clearly, it pays to be mindful of where your data sits geographically in your chosen cloud platform. These companies are in the business of trust – and a breach of that trust would seriously affect their ability to do business in their chosen space.
Data sovereignty by itself does not mean that your data is secure. It simply means that the data which is stored in digital binary format is subject to the laws and legislation of the country in which it resides. This has nothing to do with data security at all and is all about the access to data by government bodies in their respective regions. In this respect, UK stored data is subjective to UK sovereignty laws, and US stored data is subject to US sovereignty laws and so on.
Data security is a very different subject. Where you store your data has no real impact on the security of that data. If data is stored on a non-PCI compliant platform, as an example, it will never be PCI compliant. Sounds simple, yes? Well, it is that simple!
The reality is that a clear majority of the public cloud platforms have so much security and compliancy built into their solutions there is almost no way that could be replicated in a typical private data centre infrastructure or on-premises. Not to mention the pro-active penetration testing and DDOS scrubbing that can be performed on the CDN level by the 'hyperscale' providers. If you are in doubt about their security and compliance, there are dedicated web pages for all cloud platforms where they showcase their certifications on compliance. In my previous system admin roles, there is no way I would have been able to achieve those levels of certifications, let alone keep them current!
The important thing to remember is that you are responsible for security and access permissions on the stuff that you run on top of those platforms. In my PCI example above, the provider may well be able to give you an Attestation of Compliance for their bit of the stack – but you are entirely responsible for your part of it!
And that's where we can really help you – working with your team, we can deliver the right cloud architecture for your organisation, applications, users, consumers, and regulatory landscape. Softcat has a great team that 'get' cloud and can help make it work for you, whether private, public, or hybrid.
If you need any help, just get in touch using the button below or speak with your Softcat account manager, and let's start your journey!
We would love to hear any comments you have about this article!