Firms urged to adopt risk-based data sovereignty strategy

Organisations must adopt a balanced, risk-based approach to data sovereignty to navigate rising geopolitical tensions, according to a position paper based on research from Pure Storage and the University of Technology Sydney (UTS).

The research, which polled experts and practitioners across nine countries, including Australia, India and Singapore, was driven by a desire to bring depth to the subject, said Matt Oostveen, vice-president and chief technology officer for Asia-Pacific and Japan at Pure Storage.

“Transformation is a constant in our industry,” he said. “While the current issue is AI [artificial intelligence], IT leaders need to understand the successive waves of transformation and their implications.”

He contended that data sovereignty now sits at the intersection of three key trends: data sensitivity, covering everything from intellectual property to personally identifiable information; high public cloud adoption; and geopolitics, in which technologists can feel “like corks in the ocean” amid wars and trade disputes.

Pure and UTS aren’t the only ones concerned with these issues. Gartner has also observed that geopolitical uncertainty is boosting demand for sovereign cloud offerings, with a recent survey revealing that 60% of global respondents expect to increase their use of local or regional cloud providers as a result.

In a rare display of complete agreement, 100% of respondents in the UTS survey said data sovereignty risks, such as the possibility of service disruption or foreign influence, have prompted their organisations to consider where data is stored. The research also noted a new trend of addressing sovereignty issues in commercial agreements with providers.

“Geopolitics is not going away,” said Gordon Noble, research director at the UTS Institute for Sustainable Futures. He added that because organisations cannot change this reality, they must instead manage the risks that come with it.

On that point, 92% of respondents said not adequately dealing with data sovereignty concerns could lead to reputational damage, and 85% believed it would result in a loss of customer trust.

Oostveen suggested a spectrum of possible responses. At one end is “doing nothing”, a high-risk strategy with potentially devastating repercussions. At the other end is moving all workloads to infrastructure under complete sovereign control. He warned this is also risky, as unwinding an existing ecosystem of foreign providers might take five to 10 years and result in a loss of competitiveness.

The recommendation, therefore, is to take a balanced, hybrid approach based on a carefully thought-out data strategy.

The first step is a risk assessment involving non-IT leaders, including legal, finance, the CEO and the chief operating officer. This team must ask: What are the current workloads and where are they located? Does the criticality of each service and the sensitivity of its data mean it should be in a sovereign environment, or is the public cloud suitable? Noble warned that low data literacy within the organisation can be a barrier, as not everyone understands the issues involved.

Second, organisations must determine if a hybrid approach is viable. For example, do they have the tools to move workloads effectively between sovereign environments and the public cloud?

The third step is to evaluate available sovereign service providers. Oostveen said this involves significant due diligence, covering jurisdictional, compliance and operational issues. Noble added that procurement requires more thought than it has traditionally received. “You have to understand the risks and work out how to manage them,” he said.

Finally, prepare for regulatory changes. “No one quite knows where this is going to land,” said Noble. He noted that there is an “appetite for regulation” among individuals, and unless technology delivers great outcomes that build trust, further rules are likely.

According to Oostveen, a new era of data sovereignty has begun, marked by new legislation, a rebalancing of cloud workloads, and the rise of sovereign cloud providers. He urged technologists to take the lead and be custodians of change in the move towards data sovereignty.