When you plan a cloud strategy, you probably think about factors such as cost, performance and security. But what about cloud data sovereignty, which is determined by the political jurisdiction in which cloud infrastructure physically resides? Data sovereignty should be an equally important consideration when planning to move to the cloud--but it’s also one that can complicate cloud strategies in ways businesses don’t fully anticipate.
What Is Cloud Data Sovereignty?
Cloud data sovereignty is the concept that data stored in the cloud is subject to the laws and regulations of the country or other jurisdiction that has authority over the relevant cloud infrastructure.
In other words, when cloud architects or admins talk about data sovereignty in the cloud, they're referring to the ways in which regulatory laws or other policies may impact data stored in the cloud, depending on where the cloud infrastructure is located.
Why Does Cloud Data Sovereignty Matter?
When you are dealing with on-premises infrastructure, data sovereignty is clear-cut and obvious. IT workloads and the business itself operate out of the same location, with a common set of laws applying to both.
In the cloud, where a business can store its data in any number of different geographic regions regardless of where the business itself is based, data sovereignty can be more complicated. You could be a company based in New York that uses public cloud servers located in California, in which case your data may be subject to California-specific regulations like the CCPA, for example. Likewise, a company that operates out of the United States but chooses a cloud region in the European Union may need to meet the requirements of the GDPR.
To make matters more complicated, cloud vendors don't typically inform customers of the regulatory stakes of selecting one cloud region versus another. Cloud vendors let users select whichever cloud regions they want, and leave it up to their customers to manage the regulatory or legal impact.
The Tradeoff Between Cloud Data Sovereignty and Performance
If data sovereignty issues can complicate your cloud strategy, why not keep things simple by choosing to host your workloads in cloud regions that are in the same jurisdiction as your business? That way, you’d only have to worry about one set of laws and regulations for both your on-prem and cloud-based operations.
The problem with that approach, of course, is that it’s often not ideal from a performance standpoint to select cloud regions closest to your business’s physical site. You may want to select a cloud region closer to your end users to reduce network latency and improve the end user experience.
Or, in certain cases, you may need to use cloud services that aren’t available in the cloud region closest to your base of operations. Although in general all mainstream cloud services are available in all regions on the major public clouds, certain of the more obscure services are not supported in every region.
There is a cost component to consider, too. The costs of cloud services can vary from one region to another. S3 storage pricing on AWS starts at $0.023 per gigabyte in Ohio but $0.025 in Tokyo, for example. So, some companies may choose to place workloads in certain jurisdictions in order to help optimize their cloud costs.
What all of the above means is that businesses may face a tradeoff between data sovereignty requirements on the one hand and cost and performance goals on the other. It’s hard to achieve the simplest cloud data sovereignty requirements while at the same time optimizing performance and cost.
Data Sovereignty’s Impact on Cloud Trends
Data sovereignty concerns intersect with two other major cloud trends: hybrid cloud and edge computing.
Simplifying data sovereignty challenges is one selling point for hybrid cloud adoption. By allowing businesses to use public cloud services while keeping data that is subject to regulatory rules within their own data centers, hybrid architectures make it easier to take advantage of public cloud services hosted in whichever region businesses want, while still minimizing the exposure of their data to multiple jurisdictions.
Edge computing is similar in that it provides a higher degree of fine-grained control over where data resides than the public cloud offers. With an edge architecture that places workloads on the edge of the network instead of in central data centers, businesses can potentially keep data in the same local jurisdictions where their end users are located, rather than moving it to a public cloud data center that may be subject to different laws.
This is an especially important advantage at a time when smaller jurisdictions, such as states, are increasingly introducing their own data regulations. When regulatory rules are uniform across national jurisdictions, the difference between hosting data on a server in Ohio or one in California is not significant. But now that California has introduced state-specific rules in the form of the CCPA and the forthcoming CPRA, it may become more important to some businesses to achieve hyper-granular control over workload residency.
Conclusion: Cloud Data Sovereignty Requires More Strategic Decisions
In short, although data sovereignty issues have not traditionally been a major focus when businesses plan cloud strategies, they are likely to become more and more significant as the regulatory landscape grows more complex. And although the public clouds provide organizations with a lot of choice regarding the regions that host their data, it may not be enough to stop companies from turning to hybrid or edge architectures that provide even more control.
