Data localization and the future of cloud security: challenges and opportunities

Thursday, 04 May 2023 07:57

Data localization and the future of cloud security: challenges and opportunities

GUEST OPINION: For those wondering, “What is data localization?” it is essentially the imposition of geographic, geopolitical, and legal constraints on data. It is about compelling organizations to store the data they obtain or generate from residents in a specific country within that country before it is transferred overseas. More importantly, it entails the need to subject such data to local laws and regulations.

Data localization mandates that people from whom data is obtained have a say, usually through their government, on how their data is stored, processed, and disposed of. It also aims to prevent the arbitrary handling of data by private entities and the possibility of governments where the data is stored to access or control the data.

Most organizations have their data hosted on servers abroad mainly because of cost-efficiency measures and the need for reliability. Established data hosting companies that offer competitive rates, uptime guarantees, and excellent technologies are usually among the usual data server industry world leaders, particularly in the United States, United Kingdom, Germany, and China. Most organizations in different countries that build their online presence or e-commerce sites usually put their data on servers in these countries.

The issue is that data localization laws threaten this status quo. Governments are moving to compel organizations that operate in their respective countries to store the data they generate, especially on local customer/user activity. This means that they have to use local web hosting providers or the local branches/affiliates of leading data hosting companies.

How data localization affects cloud security

So how does data localization affect cloud security? The impact of localization is observable in the application of varying laws on data. There are instances when local laws are different from regional and international legal requirements. For example, in Australia, there is a new law that allows the police to access social media accounts and change or delete user data. The law also makes it legal for law enforcement operatives to take over social media accounts and gather network activity information. These provisions are not compatible with data protection policies in the European Union and other parts of the world, which lean towards stricter data protection. They are similar to the policies in states like Russia and China.

The conflict in data security laws and policies makes it difficult for organizations to implement consistent cloud security rules. It can lead to confusion among customers who entrust their data to businesses that they presume to be mindful of security and privacy concerns.

The challenges

Forcing organizations to localize their data or some of their data (in the case of multinational companies that serve customers in various parts of the world) can pose several serious challenges. For one, it can expose data to vulnerabilities. Some areas do not have advanced enough security technologies to address emerging threats. The available data servers in a locality may not be using high-end encryption and intrusion detection and prevention systems. They may also have no access to up-to-date cyber threat intelligence and are resistant to adopting modern cybersecurity frameworks.

Data localization laws and weak cybersecurity rules are a dangerous combination. It would be reassuring if a country forces organizations into localization but ensures that the prevailing local cybersecurity laws are formidable and in line with the standards of security-conscious countries and regions. Otherwise, forced localization does not bode well for cloud security and cybersecurity in general.

To compensate for the technical inadequacies, organizations may have to implement highly complex systems to comply with data localization rules while implementing good enough security mechanisms. They may need to adopt layer upon layer of additional security controls. This compromise can make security more complex and may worsen data security outcomes.

The complexities can create confusion among IT or cybersecurity teams, and they end up operating less efficiently because of the information overload (alert fatigue) and the risks of using multiple disparate security solutions and tools.

Additionally, data localization limits scalability and flexibility. Organizations may have a hard time finding local data servers or cloud solution providers that can keep up with their rapidly changing requirements. It also curtails the flexibility afforded by untethered cloud services. Organizations will have to make do with the inferior analytics of local providers and the inability to take advantage of cloud computing’s distributed processing capabilities.

Ultimately, data localization means higher costs for data storage and processing. Being limited to using local data server providers means a significant reduction of competition, which naturally helps keep prices competitive. The need to implement additional security systems to address the limitations of local data solution providers also raises the costs further.

The opportunities

The challenges that come with compulsory data localization are a significant burden to many organizations, especially those that operate in multiple cross-border locations. However, there are some opportunities worth exploring. McKinsey names three main opportunities, namely customer experience optimization, compliance risk reduction, and possible reputational advantage.

With customer data stored and processed locally, customers may experience notably faster transaction processing time and better data protection. Businesses can achieve better data collection, storage, and processing when data is not stored at overseas servers, transferred to servers in another country, and processed somewhere else. Redundancy (to ensure high availability and protect against data corruption) becomes local, which also leads to faster transactions and improved customer experiences overall.

On the other hand, data localization may also help reduce data regulation compliance violations. By having data storage and security governed by the same local laws, organizations can focus on local legal requirements and be assured that they operate legally by being compliant with local laws. Local operations do not have to worry about simultaneously complying with multiple data-related regulations like GDPR and the various data privacy laws in the United States. The inconsistencies, if there are any, will be addressed by those in the upper management involved in multinational operations management. Branch operations can focus on their specific needs.

Moreover, businesses may use compulsory data localization as a form of reputational boost by highlighting the positive impact it brings to the local economy. Data localization implies that businesses are supporting local industries (local data servers and network infrastructure providers) while ensuring that customers’ data are safeguarded by locally-formulated policies. These may not be the most attention-grabbing marketing blurbs, but they can have some effective value when reaching out to potential local customers.

Locally-dependent cloud security

To be clear, data localization does not prevent organizations from using cloud services. They can store and process data through cloud solutions in compliance with localization requirements by choosing locally-based cloud providers. As such, both data security and cloud security are determined by local cybersecurity laws. Whether or not this is good for cloud security depends on the quality of local laws and regulations being enforced. It is advisable to view data localization with an open mind to learn to navigate through its challenges and explore opportunities.

Read 510 times

GARTNER MARKET GUIDE FOR NDR 2022

DOWNLOAD NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

MORE INFO HERE!