Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

Cloud Security 101: What is Data Sovereignty?


This is the fourth blog of a series that provides the basics of information security in the cloud. In this series, we will provide definitions and best practices for many of the elements that should be considered as part of a cloud security program. In addition to a blog, each topic will also have a short video, providing some additional information on the subject.  The previous blog and video discussed the topic:: "What is Cloud Compliance?" In this installment, we will be discussing the topic: "What is Data Sovereignty?"

 Data sovereignty is the discussion around how data that has been converted into some digital form is covered by ClouSec 101 Series.jpgthe laws and regulations in which it is located. The rules and regulations that are generally part of any data sovereignty discussion are in a near constant state of change.

For a little historical background, in July 2000, the United States and the European Commission agreed on what came to be known as the Safe Harbor privacy regulations (see more about this in my blog next week). In October 2015, those regulations were invalidated by the European Court of Justice, and required that US and the EU to come up with a new arrangement. In February 2016, they came to a tentative agreement (called the Privacy Shield), only to find out in April 2016 that the agreement still did not provide adequate privacy guarantees.


So it is back to the drawing board for US and EU regulators to reach some sort of compromise on how data will be treated and governed.

There are significant issues with these types of binary-715813_960_720df.jpgregulations, primarily due to the cultural differences and perceptions on how data is to be treated. From a US perspective (and for full disclosure – I am from the US), we tend to have a more open approach about data and social media. This allows companies to use data more liberally, without necessarily getting explicit permission from the individual on how data might be used. In many European countries, data privacy is a much more serious topic. Companies are required to have and delineate how an individual’s personal information will be stored and used, with strict fines for misuse.

As it is an election year in the United States, it is very unlikely that Congress will be able to act upon data sovereignty issues until the next term (after the election). Business, therefore, will continue to wait until next year for the laws and regulations around data privacy and data sovereignty to be finalized.

Understanding how these types of data sovereignty regulations affect a company’s data and business models is important when making cloud infrastructure decisions, and is an important consideration for their overall security vision and architecture.

For the next blog in this series, we will discuss the cloud security topic: "What are Safe Harbor and GDPR Regulations?" To learn more about hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security. To find the additional parts, please search for Cloud Security 101.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all