Even with last month’s GDPR deadline now in the rearview mirror, data privacy, security and sovereignty continue to be under scrutiny and require every organization’s attention. Data sovereignty – the notion that digital information is subject to the laws of the country in which it is located – has been a primary driver of the enforcement of privacy regulations and preventing stored data from being used in unauthorized ways.
Companies adopting public cloud SaaS solutions should have a strong understanding of how their proprietary information can be used and where it can be stored, as the rules and laws surrounding their cloud providers – and the countries in which they reside – vary from region to region. What do these enterprises need to consider when storing and securing their data?
Consider where and how your data will be stored. A virtual private cloud (VPC) hosted within a public cloud is as secure as your own private datacenter environment. Even if access control mechanisms fail, your data can never be mixed with other data. A VPC also enables you – and not your cloud services provider – to encrypt your data with your own encryption keys, and control every aspect of encryption policy.
For security-focused organizations, a VPC that they own and control is a primary SaaS option for cloud-based service delivery.
By contrast, your data in a public cloud model is stored in the same logical system, or “bucket,” with other organizations’ data, and access to it is governed by access control mechanisms. By co-mingling yours and others data in a single cloud bucket, SaaS providers can deduplicate multiple copies of the same file, and minimize their storage costs.
Further implications of SaaS
Many SaaS providers support enterprise key management, allowing for customer administration and ownership of encryption. It sounds good, yet having the “keys to the kingdom” can still present risk. That’s because large portions of file services functionality are in the public cloud, introducing another layer of security concern.
Enterprises need to do their research and know that their cloud service provider has not installed an auditing device for data collection. It requires no explanation that this type of data collection is intrusive, compromising data security and privacy. It seems unlikely that this could be the case, but the provider may be required to audit per the laws of the company’s home country.
A private SaaS model
CTERA today offers several deployment models for customers, including a private SaaS option that enables organizations to deploy modern cloud file services without having to own and manage their cloud infrastructure or compromise on security. Customers have access to a fully dedicated storage service hosted in a logically isolated VPC that effectively serves as an extension of the corporate datacenter. It’s our responsibility as the cloud provider to ensure continuous operation and uptime, while we leave it to the customer to retain full control over end-user management and IT-as-a-Service provisioning.
Furthermore, you can tell us where you want your data stored, so that you can comply with GDPR or any other regional compliance measure.
But whether you work with us or any other provider, take a thorough look at your SaaS options, ask questions about all the potential entry points to your sensitive data and investigate fully the provider’s compliance with data sovereignty regulations. Ultimately, it is your responsibility to understand the risk and rewards of engaging with any particular cloud service provider, and the integrity and safety of corporate data lies with you.