Virtualization Technology News and Information
Data Sovereignty: Critical Questions to Ask When Planning a Migration

By Khan Klatt, Director of Engineering, BitTitan

It's no secret we are awash in data. The wave, it appears, will only grow. As IDC pointed out last year, the amount of data that will be created in the next three years will surpass all the data created over the past 30 years. Given this exponential increase, concerns around data storage and migration have grown more urgent. This is why IT professionals and MSPs must understand data sovereignty.

Data governance rules and regulations are evolving from region to region. IT professionals and managers must know which critical questions to ask before migrating data. This article will outline these questions and the best practices for maintaining data sovereignty while moving data across geographic regions. It's not always a simple proposition.

The Complexities of Data Sovereignty

Data sovereignty promotes the common good. But the lawmakers who create legislation meant to protect the data of citizens and companies aren't always tech-savvy. As a consequence, the legal and practical realities of sovereignty end up knotty and complex.

When migrating data, particularly from one location to another, jurisdiction and regulations can create a highly complex web that is difficult to negotiate. However, there are a few strategies that can help manage these complexities, enabling service providers to abide by the law and securely migrate data.

What to Consider Before Moving Data

Three major considerations when migrating data are residency, security and governance. Residency refers to the location and jurisdiction of the data throughout the migration lifecycle. Security is about the technical practices that lead to ensuring the data is safe, locked away from prying eyes. And governance includes ensuring that only authorized users have access to the data at any stage in the process.

Sometimes the very premise of moving data from point A to point B can be problematic. Complexities spring up when data travels between geographies and regulatory environments, especially when the migration involves multinational or multi-regional organizations. The legal landscapes of these different environments often change. It's vital to stay current on the latest policies and laws.

Asking questions beyond "How do we get the data from point A to point B?" is critical. IT administrators must work closely with legal departments to understand and address concerns and issues. Approaches that don't make extraneous copies of the data, merely facilitating the transfer from source to destination, can be beneficial from a data-retention perspective and should be preferred.

Critical Questions to Ask

With any migration between regions and geographies, data sovereignty must be top of mind. You don't want to encounter surprises after a migration, realizing that you've unintentionally violated company policy or the law. Breaking data sovereignty can put you and your company at fiscal and criminal liability.

The time to answer questions about data migration is before the migration happens. Most of the questions come down to one central principle: data classification.

 Not all data is created equal. By understanding the nature of the data being migrated and classifying it, you can be aware of the differing requirements for the data and take precautions for more sensitive data to protect it as needed. For example, some sectors, like education, finance or government, may require that all infrastructure and services are hosted in their own country.

Depending on the type of data, there are different compliance rules to follow, even within a single organization. Credit card data will likely need different treatment than anonymized access logs. Or non-published, public company financial data might be different from individual health care records. There are also important distinctions between regional and international laws.

Answering the following questions lets IT administrators craft a plan to maintain data sovereignty.

  • What parts of your data are sensitive? Why is it sensitive? How will you protect that data, and how will you need to handle each type of data differently?
  • What data is moving? Administrators should consider whether they need to transfer and retain all data. Anything transferred can become a liability. Data that violates your data retention policy increases your risk. Ensuring your data adheres to your policies before a migration can reduce your overall migration scope and risk. If you don't need it, you might not want to migrate it.
  • Who will have access to the data? Administrators should limit access to only those who need it to complete the job. Consider who will have access to your data. Migration is like a game of tag; if unauthorized parties can touch your data, you've lost the game. The fewer the access points, the more secure the migration will be. It's essential to understand how a migration service handles credentials before signing the contract.
  • What happens to data while in transit? Will it be temporarily stored somewhere? Once the migration is complete and the old infrastructure decommissioned, make sure that any unnecessary data (or copies of data) are destroyed. You don't want data living on a cloud server somewhere out of your control.

Selecting a data migration service

Much of data sovereignty comes down to location, where your data will move, and where it will rest during and after the migration. Given this, when looking for a migration tool, some critical questions to address are, "Where do the services reside? And what paths and locations will the data transit?"

Consider mitigating the risks from sharing access credentials. Who outside your company will have credentials during and after migration? And how are those credentials stored? If you can dedicate authentication credentials just for the purpose of the migration, you can invalidate those credentials when the migration project is completed. If not properly guarded and managed, these credentials can be used to compromise source or destination data.

As the volume of data continues to grow, so do the stakes of keeping that data secure and away from prying eyes. Whether it's the threat of penalties from regulatory non-compliance, the massive hit to PR and brand reputation from a publicized breach, or data ransom demands, protecting data before, during and after a migration is more imperative than ever.

The key to any data security project is knowing enough about your data to ensure that the proper practices and safeguards are in place. Make sure you adhere to data retention policies. Understand how your data will transit from source to destination, and know how you and your service providers protect your data and credentials. Addressing these issues will help ensure your migration is secure and successful.  



khan klatt 

Khan Klatt brings more than 25 years of diverse technology experience to BitTitan in his role as director of engineering. His experience in strategic planning, management and architecture drives his leadership of the company's development operations and release management, including DevOps, security, software engineering and IT operations. Prior to BitTitan, Khan served leadership roles in the education technology and digital media entertainment sectors.

Published Friday, June 25, 2021 7:31 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2021>