Shifting to Software-Defined
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Data Locality / Residency


This is the sixth blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed "Security vs Compliance". In this installment, we will be discussing the topic: "Data Locality / Residency”.


Data residency is the conversation about where a company’s data specifically resides, and the rules / regulations surrounding what can be done with that data. Data locality is generally the conversation about how data should be stored near to where it is being processed, and often has connotations about performance in the cloud space. It also sometimes has a different meaning that refers to where data is stored as it relates to compliance.

For clarity’s sake, I will use the term data residency for most of this blog.

Many countries around the world are establishing or revising regulations about how data should be dealt with. I have previously written about the EU’s GDPR regulations, as well as the Safe Harbor / Privacy Shield agreements between the United States and the EU. There are many others, and the rules are constantly evolving to deal with new technologies and threats.

I also shared an idea once when I sat on a data sovereignty panel regarding data residency. It is worth a read and has generated a great deal of debate in security circles. In summary, a possible solution to the data residency concerns is proper data encryption:

  • You can use encryption to protect your data, regardless of the location.
  • The data would be protected, regardless of the location, so long as you had (and properly protected) the encryption key.
  • The data without the encryption key — regardless of the location — is useless.

The crux, then, is establishing controls for encryption key management that are aligned to information security best practices: how encryption keys are stored, where the keys are stored, and how the data is being used once it is decrypted.

If these considerations are implemented, it seems that it should make very little difference where data resides.

Of course, it is not that easy.

First, this concept has never been examined in a court in any country (that I know about). It would require a company to fight poorly written legislation or rules, and then hope that a technically minded judge and jury were able to understand how encryption really works.

Second, it is likely easier to just comply with the legislation as written. The fines for non-compliance are onerous, and the legal fight will be even more costly. Compliance, on the other hand, is fairly well understood, and there are numerous third party services that make compliance extremely achievable.

Last, while the security community ay appreciate the challenge (on the basis of technical merit alone), the other court – the court of public opinion – make it unlikely that the company pursuing such a challenge will ever be viewed favorably.

As the regulations continue to change and become ever more complex, it stands to reason that an entity will use this logical argument to potentially fight a legal challenge. Companies should continue to monitor data residency regulations and evaluate the impact they have on their business, today and in the future.

For the next blog in this series, we will discuss the compliance topic: "Key Compliance Considerations” To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all