Data Residency Versus Data Sovereignty
Data residency is the location where the data is stored. Data sovereignty is the concept that the data is subject to the laws of the country in which it is resident. Cloud service providers can offer a particular data residency fairly easily but not data sovereignty. When your data is stored in a data center located in your country, your data is resident in your country but you have not achieved data sovereignty, and it is data sovereignty that addresses privacy.
Companies trying to comply with data privacy laws often confuse data residency and data sovereignty. Controlling where the data is stored does not mean you control what laws apply to the data. Such thinking was appropriate for paper records stored in a file cabinet – if the paper records were stored in Europe, American courts had no way to force access to these records. Today, to ensure data sovereignty, you have to know who controls the data and where it goes in transit.
For example, an American company may operate a data center in Canada and store Canadian data there to satisfy Canadian data residency requirements. The data is subject to Canadian privacy laws. But the American company is also subject to American laws. American government agencies and third parties acting through American courts may force the American company to give them access to your data. In this case, while the American company is acting legally in accordance with American law, you may have violated Canadian privacy laws by leaving your data open to this kind of foreign access. You did not have data sovereignty and compromised your data privacy requirements.
The issues become even more complicated when you have customers in many different jurisdictions. You are responsible for ensuring that their data is kept according to the privacy laws of their country of residence. The cloud provider is not responsible for your customer data; it is your job to select where your data is stored. A major issue with this selection is the requirement to analyze customer data to determine each customer’s residency and make the corresponding choices.
Since many of the cloud services you need are offered by American suppliers and since these American companies will continue to be subject to American laws, they can’t offer data privacy through data sovereignty. To achieve true data sovereignty and guarantee the privacy of your data, you have to take additional security measures.
Cloud Data Encryption
When you ask your cloud service provider about data privacy and security, they will normally point to the fact that the data is already encrypted in transit to and from the data centers and that the data centers themselves are highly secure environments. If you insist on additional security measures, they will often offer to encrypt the data.
Encrypting your data in this way creates two problems. First, accessing your data is now time-consuming and complicated. You either have to decrypt it on the cloud server opening up a security gap or you have to download the whole file, decrypt it, process it locally, encrypt it and upload it again. Secondly, your cloud service provider encrypts your data and can easily decrypt it as well when subject to a court order or security agency request. You’ve made your cloud operation less efficient and your cloud service provider still can’t give you the privacy guarantee that you need.
De-Personalization and Data Masking/Tokenization
De-personalization of data means removing the personally identifiable information (PII) from a data set. One way to achieve this is to mask the PII so it can’t be read. Tokenization carries out such masking by replacing individual characters with different characters of the same type. The data is no longer legible and is not PII. Data residency and data sovereignty laws and regulations no longer apply and you don’t have to worry about a cloud service provider data privacy guarantee.
For example, a list of purchases may contain customer names and payment card data. This is data containing PII subject to your country’s privacy laws. Tokenization replaces the letters of the customer name with other letters and the numbers of the payment card with other numbers. The data set now no longer contains PII because the relevant information is masked. You can continue to store, search and process your data in the cloud but only people you authorize can unmask the data and see the PII. You have guaranteed data privacy without relying on the cloud service provider.
Dynamic Data Masking
The CloudMask patent Dynamic Data Masking (DDM), masks data as you type and before it leaves your device. It can tokenize specific data fields to mask PII so the data set is no longer subject to privacy laws. You can still choose a cloud service provider who has excellent security and offers a high level of data protection but you no longer have to rely on the data privacy guarantee of a provider who may be subject to laws in other jurisdictions. You will have full control of your data and full control over who can read it.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
