GRC Tuesdays: Data Sovereignty, What It Is and Why Does It Matter?
In a previous blog, GRC in OnPremise, Cloud, and Hybrid – Benefits and Trade Offs of Each Model, I briefly mentioned “data sovereignty” as an external consideration for companies to take into account when choosing the deployment model for their software.
Since then, I have received a few questions on what data sovereignty really is and how does it impact the organizations. I therefore thought it would be a perfect topic for a new GRC Tuesdays post!
Data sovereignty vs data residency
First of all, data sovereignty and data residency are often used interchangeably. If they are indeed related, they are nonetheless not equivalent and each must be addressed as necessary.
Data residency really focuses on physical location and requires that certain type of data must be stored strictly within the county or jurisdiction where it is collected. A typical example here relates to favourable tax regimes. To be able to benefit from favourable taxation in some countries, companies must prove that their business is mostly conducted in the said country, including the processing of the data collected. Residency (i.e.: storage) of the data in the country can therefore be one of the mandatory requirements.
Another example could be sensitive data policies where a country mandates that health information on its citizens only be stored within its borders.
There can be provisions for companies to be allowed to transfer data across borders for processing, but this usually requires user notification and specific consent.
Data sovereignty is quite wider. If it does encapsulate data residency requirements, it goes further in that it mandates that this data also be subject to the laws and regulations of the geographic location in which the data is collected and processed.
Especially crucial for SaaS solutions holding sensitive personal information, this topic can quickly become quite tricky for end-user companies.
What can you do about It?
Organizations in public services, but also in regulated industries can be required to abide by these requirements. As a result, they have 2 choices:
- Stop doing anything digitally and revert to pen and paper. This is definitely the most straight forward approach… But it could also mean the end of the business
- Put in place the process and systems to support – and be able to prove – compliance with these requirements
If you think choice 2 is the right one for you, then there are now really 2 follow-up options:
- Keeping the systems and the data OnPremise within the company’s 4 walls and enforcing access monitoring policies
- Go to the Cloud but retain control over the data, its location, and user access at any time
Regardless of the choice above, there are two types of data that need monitoring:
* Data in motion: this is the data that is being transferred to and from the user and the software – be it OnPremise or Cloud-based solution;
* Data at rest: this is data that is stored, for instance in a database or a file. Remember all these Excel files that you have? They fall within this category and as a result must also be identified. So do the backups!
As you can imagine, this is a topic for many of our customers at SAP. As a matter of fact, data sovereignty and data residency have been ranked as very to extremely important for 77% companies as per a Qualtrics survey:
Drilling-down a bit further, the reasons driving this ranking relate to:
- Regulatory drivers
- Industry & corporate compliance
- Technical drivers
- Risk drivers
How can we help?
If you decide to remain OnPremise, then my recommendation is to have a look into data protection solutions, including ones that help enforce attribute-based access control to prevent unauthorized access to data by people outside the defined geography.
Since there have already been quite a few publications on this topic, including in these GRC Tuesdays posts, I am sure you are already familiar with these solutions, so I won’t detail them further.
Should you decide to investigate further, a good starting point is the following post: GRC Tuesdays: What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the Identity and Access Governance pillar
Should you embark on a Cloud journey, then I think there are 2 solutions that could be of interest and that I wanted to introduce in this blog: SAP S/4HANA Cloud, private edition, customer data center option and SAP Data Custodian.
SAP S/4HANA Cloud, private edition, customer data center option
In short, this is SAP’s Private Managed Cloud delivered in your data centers. This is a turn-key Cloud offering fully compliant with SAP Private Cloud concierge standard of service, architecture, & security – delivered on customer premises – and backed by an SLA of course.
It has the advantages of OnPremise deployments when it relates to addressing customer data sovereignty, privacy, and residency requirements but also the benefits of a Cloud deployment when it comes to scalability, SLAs, cost-efficiency, etc.
Some of the value-adds for this solution include:
- Location of customer choice for SAP Landscape and Disaster Recovery system
- Single-tenant so no other customer shares the hardware or the service
- Data guaranteed to stay within the landscape
- Isolated control plane and private self-service portal
- Secure, high-performance, and reliable delivered in your data center – compute, storage, networking, agility & burst-ability
- And more. For additional benefits and details, I would suggest having a look at the dedicated presentation: Moving our customers to cloud, without moving their data center
SAP Data Custodian
When it comes to data movement, data placement, data processing and data access, SAP Data Custodian is designed to give Public Cloud users similar transparency and control over their Public Cloud resources and applications that was previously only available in Private Cloud or OnPremise configurations.
SAP Data Custodian uses advanced data visualization capabilities to enable users to rapidly identify data protection policy breaches, data movement, storage location, compliance, and risk.
Some of the features and functionality of this solution include:
- Policy definition and enforcement: to enable users to configure geolocation policies for data governance, storage, movement, processing, but also access
- Data transparency, alerts, and reporting: to help organizations understand where their data has been accessed, moved, and stored in the Public Cloud, and by whom. This includes capabilities to notify and alert users on policy violations and data breaches
- Independent key management – one of the most frequently asked capability for this solution at the moment: it helps reduce the risk of data breach and the unauthorised release of business data by obtaining total independent control of encryption keys and data, including segregating your encryption keys from the Cloud provider
- SAP S/4HANA transparency and control: to identify and monitor data protection risks on SAP S/4HANA and other SAP Cloud deployments, but also to create contextual policies to control access to T-Codes and SAP Fiori applications.
Once again, should you want to read more about this solution, then I would suggest having a look at the dedicated page: SAP Data Custodian
These are of course only some of the options, and I do realize that compliance with data residency and all the more compliance with data sovereignty require defined processes and procedures in addition to technical solutions. But I hope this has at least helped picture some of the potential possibilities available.
What about you, how does your company address these requirements? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Thank you for this detailed and structured analysis which can help pave the way to the cloud with the security and reassurance any large information system needs.