Data residency concerns are not so much of a technology issue but a risk assessment and mitigation discussion
Large, global enterprises operate in an ecosystem governed by big data. Loss of enterprise data can seriously compromise long-term prospects, have an immediate impact on the viability of an organization, and become a security and publicity nightmare for the affected firm. Data residency concerns are a new normal of our times. Cloud-based services add multiple dimensions to this issue:
- Which applications and relevant data are suitable for a shift to the Cloud?
- How is my data transitioned to the Cloud?
- Where is it stored?
- What are the governance policies that protect the data? Is my data accessible to other platform residents?
- What happens when there is a breach of contract or termination of an agreement with a Cloud services vendor?
These are some of the commonly asked questions in my meetings with potential clients. I try to customize my responses to suit their context but, here’s what stays constant:
- Evaluating Cloud-readiness of enterprise applications is a simple matter of assessment. Not all data is suitable for cloud migration. Whether it is due to regulatory concerns or the sheer size of data, an assessment would be relevant to determine what should happen to data and where it should go. We offer our clients, the Capgemini Cloud Assessment framework
- Traditional data transition mechanisms are impractical and impose costs associated with delayed access, risk of corruption or loss of data. These can be mitigated by deploying on-demand data transport solutions that transparently handle Cloud specific input/output requirements. Many vendors like CastIron, Mulesoft, and Informatica offer integration solutions that can be carefully configured to ensure ETL operations pushing data to the cloud are properly handled.
- Once data is in the cloud, it can be accessed anywhere but the geographical location of enterprise data is a hot topic of debate in both infrastructure services and regulatory circles. For example, Singapore requires all financial data be physically housed in Singapore. As a global enterprise, you’re subject to local regulation across operational regions. Compliance, however, is a function of selecting appropriate partners with a network of data centers across regions.
- Unless otherwise mandated by your collaboration requirements, your data is not allowed to co-mingle with residents on the same platform. Cloud vendors implement multi-tenancy kernels that segregate data logically to prevent co-mingling. These kernels have been meticulously crafted to prevent cross-contamination of data and keep your data pristine. You can validate this beforehand, with structured audits and by checking ISO certifications of shortlisted vendors.
- At the end of contract lifecycle or a breach resulting in termination your data is subject to a legally binding SLA. Let’s be real, this is your data – should you decide to leave, you’re entitled to take all of it with you. Apart from a contract that explicitly underlines your ownership, what you need is a due diligence of the retention policies of your provider. This can focus on the provider’s ability to perform a true deletion when required.
While legitimate, data residency concerns are not so much of a technology issue but a risk assessment and mitigation discussion with your providers. As your organization progresses along the Cloud maturity curve, you will find some of these to be non-issues. There are however, costs associated with due diligence and vendor selection or audits. As part of the Capgemini Cloud Assessment framework, we help our clients build a business case, an ROI roadmap to justify those costs and make the right choice for a successful cloud migration.