Click here to close now.




















Welcome!

Cloud Security Authors: Pat Romanski, Liz McMillan, Elizabeth White, Tim Hinds, Cloud Best Practices Network

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Cloud Security, @BigDataExpo

@CloudExpo: Article

Key Data Residency Requirements Global Organizations Need to Understand

…And some advice on how to satisfy them as you move to the cloud

One challenge more and more enterprises are grappling with as they plan to adopt the cloud is data residency & sovereignty. They are finding that if they want to use a cloud service hosted outside of their borders, life can become quite complex. Perhaps it is a result of the often discussed "Snowden Effect," but no one can deny that countries and regions are putting some strict guidelines in place to ensure privacy of sensitive data that is moving outside of their borders. These three examples are indicative of what I foresee we will be seeing much more of:

Australia: The Privacy Amendment Act
The Privacy Amendment Act introduced many changes to the original Privacy Act and just recently went into effect. The Act includes a set of new privacy principles that cover the processing of personal information by government agencies and businesses. The new principles are called jointly called the Australian Privacy Principles (APPs).

In the context of cloud adoption, agencies and businesses that deal with personal information are subject to APP8 (cross-border disclosure of personal information) which regulates the disclosure/transfer of personal information by an agency or business to a different entity (including a parent company) offshore. Before moving this type of data offshore, the Australian agency/business (Australian sender) must take reasonable steps to ensure the overseas recipient will comply with / not breach the APPs. The Australian Sender will remain liable for the overseas recipient's acts associated with any transferred personal information and, where relevant, be in breach of the APPs due to the overseas recipient's acts or omissions. In addition, APP11.1 (security of personal information) requires that an organization must "take reasonable steps to protect the personal information it holds from misuse".

Germany: The Federal Data Protection Act
Germany's Federal Data Protection Act is known as Bundesdatenschutzgesetz or BDSG, and these laws were reformed to cover a range of data protection-related issues. The key principles of the law state that organizations cannot collect any personally identifiable information without express permission from an individual (this includes obvious things like name and date of birth, as well as less obvious things like phone number, address and computer IP address). The permission that an individual grants must specify how, where, how long and for what purposes the data may be used and the individual can revoke the permission at any time.

Organizations must have policies, procedures and controls in place to protect all data types and categories that fall under the BDSG umbrella. Further, Germany does not recognize Safe Harbor regulations in the same way as other EU states (note - other EU states are re-examining this issue). It requires all parties involved in data transfer to assure that Safe Harbor requirements are met in a more formalized and structured manner.

In addition to the Federal Data Protection Act, components of the German criminal code regulate personal data protection, particularly for telecommunications, healthcare, and insurance companies. And all of the 16 German states have their own specific data protection laws pertaining to these areas.

United Kingdom: The UK Data Protection Act
The UK Data Protection Act is the UK's legislation covering the processing of data on people and is the main piece of legislation that governs the protection of personal data in the UK. The Act places clear demands upon those holding personal data in terms of the security that must be applied to protect it and it is necessary to apply a wide range of security measures to meet these standards:

  • Data must be processed fairly and lawfully
  • Data must be processed in accordance with the rights and freedoms of data subjects
  • Data must be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage
  • Data must not be transferred to a country or territory outside the European Economic Area unless that country or territory protects the rights and freedoms of the data subjects.

The Information Commissioner's Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest. They recently provided guidance around the use of cloud computing reiterating that the responsibility for data protection remains with the data controller (the enterprise). And particular consideration should be given to mitigating the security risks relating to personal data since foreign law enforcement agencies may have the power to demand access to personal data stored in a foreign data center. Failing to protect private data can result in ICO-levied fines.

What is an organization to do? Look exclusively at cloud solutions that are based wholly in the country where they operate? Avoid cloud services altogether? Both of these approaches are impractical. Enterprises need to adopt cloud-based solutions, the best ones available irrespective of location, in order to drive their businesses and remain competitive. So what to do? Technology in the form of Cloud Data Control Gateways (CDCGs) using a technique called tokenization can help.

CDCGs are increasingly being used by global organizations to meet data residency requirements. Using tokenization, where clear text data is replaced by a surrogate token (check out a cool infographic describing the technique here), sensitive data can remain physically onsite while only surrogate replacement tokens go to the cloud for processing and storage. This solution enables enterprises to use public cloud applications no matter where they are located because actual data never needs to leave their in-country data center where the tokenization process occurs. It is a simple and straightforward way to adhere to complex data residency/sovereignty requirements. For those concerned about the "Snowden Effect," the reality is that any requests for information through one of their US-based cloud providers cannot result in compromising customer or corporate data without the enterprise being part of the conversation.

Of course, not all tokenization technologies are created equal. This solution only works when it is designed and deployed properly so as to fulfill all data obfuscation goals and objectives. Most important, it needs to be part of a gateway approach that ensures that the functionality of the cloud application is not disrupted for cloud end users. For example, users need to be able to use the cloud as if the gateway was not in the middle of the equation at all (e.g., they need to be able to Search or Sort on data that has been tokenized).

Please check out our website, which offers more insights on data sovereignty and tokenization with specific pages addressing laws in a number of countries as well as sector-based requirements for verticals like Banking and Healthcare. We also provide various reference pieces, including a broader whitepaper, International Privacy Laws.

Read the original blog entry...


Perspecsys Inc. is a leading provider of cloud data tokenization and cloud encryption solutions that enable mission-critical cloud applications to be adopted throughout the enterprise. Cloud security companies like Perspecsys remove the technical, legal and financial risks of placing sensitive company data in the cloud. Perspecsys accomplishes this for many large, heavily regulated companies across the world by never allowing sensitive data to leave a customer's network, while maintaining the functionality of cloud applications. For more information please visit perspecsys.com or follow on Twitter @perspecsys.

More Stories By Gerry Grealish

Gerry Grealish is Vice President, Marketing & Products, at PerspecSys. He is responsible for defining and executing PerspecSys’ marketing vision and driving revenue growth through strategic market expansion and new product development. Previously, he ran Product Marketing for the TNS Payments Division, helping create the marketing and product strategy for its cloud-based payment gateway and tokenization/encryption security solutions. He has held senior marketing and leadership roles for venture-backed startups as well as F500 companies, and his industry experience includes enterprise analytical software, payment processing and security services, and marketing and credit risk decisioning platforms.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of IoT applications and projects. Business operations, IT, and data scientists need advanced analytics t...
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
A producer of the first smartphones and tablets, presenter Lee M. Williams will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. In his session at @ThingsExpo, Lee Williams, COO of ETwater, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater.
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
While many app developers are comfortable building apps for the smartphone, there is a whole new world out there. In his session at @ThingsExpo, Narayan Sainaney, Co-founder and CTO of Mojio, will discuss how the business case for connected car apps is growing and, with open platform companies having already done the heavy lifting, there really is no barrier to entry.
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of streaming data in the cloud with an enterprise grade SLA. It features built-in integration with Azur...
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducted a live demonstration of how quickly application development can happen when the need to comply wit...
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with APIs within the next year.
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, d...