Skip to content

Cloud Storage Data Residency: How To Achieve Compliance

Cloud storage is the ultimate in technology outsourcing. Business units and IT teams don’t need to know how the technology works or even where it is: to set up a cloud service; they just need a browser and credit card.

But this simplicity creates regulatory and security concerns, especially when it comes to cloud storage. The very flexibility of the cloud – where hardware can be anywhere in the world – makes it hard to comply with national laws that are, by their nature, based on fixed geography.

The question of where data is physically stored – “data residency” – cuts across a range of data privacy laws, regulations, and even organisations’ own terms and conditions.

So, the larger cloud providers give their customers at least some control over where data is stored. Other providers sell services tailored to the needs of highly regulated industries, such as healthcare or financial services.

In the cloud, data can be stored anywhere. The concept behind cloud computing is that the provider can allocate workloads and resources to fit their own technical and practical requirements. This allows for the cloud’s economies of scale. It also creates resilience. Cloud providers host data in multiple locations to ensure availability.

Indeed, a reason for firms to move data to the cloud is so it is physically separate from their own infrastructure. This is increasingly important to ensure business continuity and to deal with threats such as ransomware.

However, it is no longer the case that cloud providers simply put customers’ data anywhere they like. The growth of cloud computing and especially of the big three providers – AWS, Microsoft Azure, and Google Cloud Platform – allows cloud services to be large enough to offer customers some control over data residency without compromising economics or data protection.


Availability zones

AWS, for example, offers availability zones (AZs) in North America, South America, EMEA and Asia Pacific. In Europe, AWS has regions in Ireland, the UK (London), Frankfurt, Paris and Stockholm. Each region has three AZs.

Microsoft’s approach is similar to Azure regions and geographies. These, Microsoft says, “define disaster recovery and data residency boundaries” for Azure. Its availability zones are physically separate data centres within regions.

Google Cloud’s platform offers regions and zones, but the cloud service also provides highly detailed information on technical capabilities in each zone. For storage, all regions and zones offer local SSDs, for example. Not all offer GPUs for GPU-accelerated tasks.

The picture is slightly more complicated when it comes to buying cloud services through third parties where an application could be built on top of a public cloud provider’s services. This could be a software-as-a-service (SaaS) application, a collaboration tool or even data archiving.

In this case, it is the third-party service, not the hyperscaler, which decides where data is stored. So, customers need to check the data residency terms of the service they are buying, both in normal operations and to determine what would happen in the event of an outage.

Larger businesses, especially, will want to do their own due diligence on where data is stored, says Lee Sustar, a principal analyst at Forrester who leads cloud research. “You need to be prepared to validate that independently,” he says. “You can’t just rely on a set of generic documents.”

And, he points out, cloud computing is not static. The technology continues to evolve, with techniques such as object storage sharding dividing up data in new ways, and potentially bringing its own regulatory challenges.


Data residency and sovereignty regulations

Data residency and data sovereignty are increasingly governed by local laws. There is an increasing push towards data sovereignty, in part because of supply chain and security concerns.

As Mathieu Gorge, CEO at compliance experts Vigitrust points out, firms and governments alike are increasingly concerned about geopolitical risk. Firms also need to be aware of data adequacy requirements if they intend to move data across borders.

This could come into play if they move between hyperscaler regions and AZs, or change SaaS providers. “There is adequacy between the UK and EU, but you are still relying on clauses in the contract to demonstrate that adequacy,” he cautions.

Meanwhile, the challenge of data residency is becoming more complicated as more countries roll out data sovereignty regulations.

The article "Cloud Storage Data Residency: How To Achieve Compliance" was written by Stephen Pritchard

Subscribe to our blog.

Receive the latest information when you subscribe to our blog.