By Khan Klatt, Director of Engineering, BitTitan
It's no secret we are awash in data. The wave, it appears, will
only grow. As
IDC pointed out last year, the amount of data that will be
created in the next three years will surpass all the data created over the past
30 years. Given this exponential increase, concerns around data storage and
migration have grown more urgent. This is why IT professionals and MSPs must
understand data sovereignty.
Data governance rules and regulations are evolving from region to
region. IT professionals and managers must know which critical questions to ask
before migrating data. This article will outline these questions and the best
practices for maintaining data sovereignty while moving data across geographic
regions. It's not always a simple proposition.
The
Complexities of Data Sovereignty
Data sovereignty promotes the common good. But the lawmakers who
create legislation meant to protect the data of citizens and companies aren't
always tech-savvy. As a consequence, the legal and practical realities of
sovereignty end up knotty and complex.
When migrating data, particularly from one location to another,
jurisdiction and regulations can create a highly complex web that is difficult
to negotiate. However, there are a few strategies that can help manage these
complexities, enabling service providers to abide by the law and securely
migrate data.
What to
Consider Before Moving Data
Three major considerations when migrating data are residency,
security and governance. Residency refers to the location and jurisdiction of the
data throughout the migration lifecycle. Security is about the technical
practices that lead to ensuring the data is safe, locked away from prying eyes.
And governance includes ensuring that only authorized users have access to the
data at any stage in the process.
Sometimes the very premise of moving data from point A to point B
can be problematic. Complexities spring up when data travels between geographies
and regulatory environments, especially when the migration involves
multinational or multi-regional organizations. The legal landscapes of these
different environments often change. It's vital to stay current on the latest
policies and laws.
Asking questions beyond "How do we get the data from point A to
point B?" is critical. IT administrators must work closely with legal
departments to understand and address concerns and issues. Approaches that
don't make extraneous copies of the data, merely facilitating the transfer from
source to destination, can be beneficial from a data-retention perspective and
should be preferred.
Critical
Questions to Ask
With any migration between regions and geographies, data
sovereignty must be top of mind. You don't want to encounter surprises after a
migration, realizing that you've unintentionally violated company policy or the
law. Breaking data sovereignty can put you and your company at fiscal and
criminal liability.
The time to answer questions about data migration is before the
migration happens. Most of the questions come down to one central principle:
data classification.
Not all data is created equal. By understanding the nature of the
data being migrated and classifying it, you can be aware of the differing
requirements for the data and take precautions for more sensitive data to
protect it as needed. For example, some sectors, like education, finance or
government, may require that all infrastructure and services are hosted in
their own country.
Depending on the type of data, there are different compliance
rules to follow, even within a single organization. Credit card data will
likely need different treatment than anonymized access logs. Or non-published,
public company financial data might be different from individual health care
records. There are also important distinctions between regional and
international laws.
Answering the following questions lets IT administrators craft a
plan to maintain data sovereignty.
-
What parts of your data are sensitive? Why is it sensitive? How
will you protect that data, and how will you need to handle each type of data
differently?
-
What data is moving? Administrators should consider whether they
need to transfer and retain all data. Anything transferred can become a
liability. Data that violates your data retention policy increases your risk.
Ensuring your data adheres to your policies before a migration can reduce your
overall migration scope and risk. If you don't need it, you might not want to
migrate it.
-
Who will have access to the data? Administrators should limit
access to only those who need it to complete the job. Consider who will have
access to your data. Migration is like a game of tag; if unauthorized parties
can touch your data, you've lost the game. The fewer the access points, the
more secure the migration will be. It's essential to understand how a migration
service handles credentials before signing the contract.
-
What happens to data while in transit? Will it be temporarily
stored somewhere? Once the migration is complete and the old infrastructure
decommissioned, make sure that any unnecessary data (or copies of data) are
destroyed. You don't want data living on a cloud server somewhere out of your
control.
Selecting a
data migration service
Much of data sovereignty comes down to location, where your data
will move, and where it will rest during and after the migration. Given this,
when looking for a migration tool, some critical questions to address are,
"Where do the services reside? And what paths and locations will the data
transit?"
Consider mitigating the risks from sharing access credentials. Who
outside your company will have credentials during and after migration? And how
are those credentials stored? If you can dedicate authentication credentials
just for the purpose of the migration, you can invalidate those credentials
when the migration project is completed. If not properly guarded and managed,
these credentials can be used to compromise source or destination data.
As the volume of data continues to grow, so do the stakes of
keeping that data secure and away from prying eyes. Whether it's the threat of
penalties from regulatory non-compliance, the massive hit to PR and brand
reputation from a publicized breach, or data ransom demands, protecting data
before, during and after a migration is more imperative than ever.
The key to any data security project is knowing enough about your
data to ensure that the proper practices and safeguards are in place. Make sure
you adhere to data retention policies. Understand how your data will transit
from source to destination, and know how you and your service providers protect
your data and credentials. Addressing these issues will help ensure your
migration is secure and successful.
##
ABOUT THE AUTHOR
Khan Klatt brings more than 25 years of diverse technology
experience to BitTitan in his role
as director of engineering. His
experience in strategic planning, management and architecture drives his
leadership of the company's development operations and release management,
including DevOps, security, software engineering and IT operations. Prior to BitTitan, Khan served leadership roles in the education
technology and digital media entertainment sectors.