Welcome!

Microservices Expo Authors: Elizabeth White, Liz McMillan, Daniel Khan, Lori MacVittie, Pat Romanski

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Cloud Security, @BigDataExpo

@CloudExpo: Article

Key Data Residency Requirements Global Organizations Need to Understand

…And some advice on how to satisfy them as you move to the cloud

One challenge more and more enterprises are grappling with as they plan to adopt the cloud is data residency & sovereignty. They are finding that if they want to use a cloud service hosted outside of their borders, life can become quite complex. Perhaps it is a result of the often discussed "Snowden Effect," but no one can deny that countries and regions are putting some strict guidelines in place to ensure privacy of sensitive data that is moving outside of their borders. These three examples are indicative of what I foresee we will be seeing much more of:

Australia: The Privacy Amendment Act
The Privacy Amendment Act introduced many changes to the original Privacy Act and just recently went into effect. The Act includes a set of new privacy principles that cover the processing of personal information by government agencies and businesses. The new principles are called jointly called the Australian Privacy Principles (APPs).

In the context of cloud adoption, agencies and businesses that deal with personal information are subject to APP8 (cross-border disclosure of personal information) which regulates the disclosure/transfer of personal information by an agency or business to a different entity (including a parent company) offshore. Before moving this type of data offshore, the Australian agency/business (Australian sender) must take reasonable steps to ensure the overseas recipient will comply with / not breach the APPs. The Australian Sender will remain liable for the overseas recipient's acts associated with any transferred personal information and, where relevant, be in breach of the APPs due to the overseas recipient's acts or omissions. In addition, APP11.1 (security of personal information) requires that an organization must "take reasonable steps to protect the personal information it holds from misuse".

Germany: The Federal Data Protection Act
Germany's Federal Data Protection Act is known as Bundesdatenschutzgesetz or BDSG, and these laws were reformed to cover a range of data protection-related issues. The key principles of the law state that organizations cannot collect any personally identifiable information without express permission from an individual (this includes obvious things like name and date of birth, as well as less obvious things like phone number, address and computer IP address). The permission that an individual grants must specify how, where, how long and for what purposes the data may be used and the individual can revoke the permission at any time.

Organizations must have policies, procedures and controls in place to protect all data types and categories that fall under the BDSG umbrella. Further, Germany does not recognize Safe Harbor regulations in the same way as other EU states (note - other EU states are re-examining this issue). It requires all parties involved in data transfer to assure that Safe Harbor requirements are met in a more formalized and structured manner.

In addition to the Federal Data Protection Act, components of the German criminal code regulate personal data protection, particularly for telecommunications, healthcare, and insurance companies. And all of the 16 German states have their own specific data protection laws pertaining to these areas.

United Kingdom: The UK Data Protection Act
The UK Data Protection Act is the UK's legislation covering the processing of data on people and is the main piece of legislation that governs the protection of personal data in the UK. The Act places clear demands upon those holding personal data in terms of the security that must be applied to protect it and it is necessary to apply a wide range of security measures to meet these standards:

  • Data must be processed fairly and lawfully
  • Data must be processed in accordance with the rights and freedoms of data subjects
  • Data must be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage
  • Data must not be transferred to a country or territory outside the European Economic Area unless that country or territory protects the rights and freedoms of the data subjects.

The Information Commissioner's Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest. They recently provided guidance around the use of cloud computing reiterating that the responsibility for data protection remains with the data controller (the enterprise). And particular consideration should be given to mitigating the security risks relating to personal data since foreign law enforcement agencies may have the power to demand access to personal data stored in a foreign data center. Failing to protect private data can result in ICO-levied fines.

What is an organization to do? Look exclusively at cloud solutions that are based wholly in the country where they operate? Avoid cloud services altogether? Both of these approaches are impractical. Enterprises need to adopt cloud-based solutions, the best ones available irrespective of location, in order to drive their businesses and remain competitive. So what to do? Technology in the form of Cloud Data Control Gateways (CDCGs) using a technique called tokenization can help.

CDCGs are increasingly being used by global organizations to meet data residency requirements. Using tokenization, where clear text data is replaced by a surrogate token (check out a cool infographic describing the technique here), sensitive data can remain physically onsite while only surrogate replacement tokens go to the cloud for processing and storage. This solution enables enterprises to use public cloud applications no matter where they are located because actual data never needs to leave their in-country data center where the tokenization process occurs. It is a simple and straightforward way to adhere to complex data residency/sovereignty requirements. For those concerned about the "Snowden Effect," the reality is that any requests for information through one of their US-based cloud providers cannot result in compromising customer or corporate data without the enterprise being part of the conversation.

Of course, not all tokenization technologies are created equal. This solution only works when it is designed and deployed properly so as to fulfill all data obfuscation goals and objectives. Most important, it needs to be part of a gateway approach that ensures that the functionality of the cloud application is not disrupted for cloud end users. For example, users need to be able to use the cloud as if the gateway was not in the middle of the equation at all (e.g., they need to be able to Search or Sort on data that has been tokenized).

Please check out our website, which offers more insights on data sovereignty and tokenization with specific pages addressing laws in a number of countries as well as sector-based requirements for verticals like Banking and Healthcare. We also provide various reference pieces, including a broader whitepaper, International Privacy Laws.

Read the original blog entry...


Perspecsys Inc. is a leading provider of cloud data tokenization and cloud encryption solutions that enable mission-critical cloud applications to be adopted throughout the enterprise. Cloud security companies like Perspecsys remove the technical, legal and financial risks of placing sensitive company data in the cloud. Perspecsys accomplishes this for many large, heavily regulated companies across the world by never allowing sensitive data to leave a customer's network, while maintaining the functionality of cloud applications. For more information please visit perspecsys.com or follow on Twitter @perspecsys.

More Stories By Gerry Grealish

Gerry Grealish is Vice President, Marketing & Products, at PerspecSys. He is responsible for defining and executing PerspecSys’ marketing vision and driving revenue growth through strategic market expansion and new product development. Previously, he ran Product Marketing for the TNS Payments Division, helping create the marketing and product strategy for its cloud-based payment gateway and tokenization/encryption security solutions. He has held senior marketing and leadership roles for venture-backed startups as well as F500 companies, and his industry experience includes enterprise analytical software, payment processing and security services, and marketing and credit risk decisioning platforms.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
Ovum, a leading technology analyst firm, has published an in-depth report, Ovum Decision Matrix: Selecting a DevOps Release Management Solution, 2016–17. The report focuses on the automation aspects of DevOps, Release Management and compares solutions from the leading vendors.
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools have cloud orchestration plugins that can be leveraged, but there are also cloud-native tools that can dramatically improve the efficiency of managing your application lifecycle. In his session at 18th Cloud Expo, ...
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
No matter how well-built your applications are, countless issues can cause performance problems, putting the platforms they are running on under scrutiny. If you've moved to Node.js to power your applications, you may be at risk of these issues calling your choice into question. How do you identify vulnerabilities and mitigate risk to take the focus off troubleshooting the technology and back where it belongs, on innovation? There is no doubt that Node.js is one of today's leading platforms of ...

Let's just nip the conflation of these terms in the bud, shall we?

"MIcro" is big these days. Both microservices and microsegmentation are having and will continue to have an impact on data center architecture, but not necessarily for the same reasons. There's a growing trend in which folks - particularly those with a network background - conflate the two and use them to mean the same thing.

They are not.

One is about the application. The other, the network. T...

DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
This is a no-hype, pragmatic post about why I think you should consider architecting your next project the way SOA and/or microservices suggest. No matter if it’s a greenfield approach or if you’re in dire need of refactoring. Please note: considering still keeps open the option of not taking that approach. After reading this, you will have a better idea about whether building multiple small components instead of a single, large component makes sense for your project. This post assumes that you...
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
Before becoming a developer, I was in the high school band. I played several brass instruments - including French horn and cornet - as well as keyboards in the jazz stage band. A musician and a nerd, what can I say? I even dabbled in writing music for the band. Okay, mostly I wrote arrangements of pop music, so the band could keep the crowd entertained during Friday night football games. What struck me then was that, to write parts for all the instruments - brass, woodwind, percussion, even k...
In his session at @DevOpsSummit at 19th Cloud Expo, Yoseph Reuveni, Director of Software Engineering at Jet.com, will discuss Jet.com's journey into containerizing Microsoft-based technologies like C# and F# into Docker. He will talk about lessons learned and challenges faced, the Mono framework tryout and how they deployed everything into Azure cloud. Yoseph Reuveni is a technology leader with unique experience developing and running high throughput (over 1M tps) distributed systems with extre...
SYS-CON Events announced today that Isomorphic Software will exhibit at DevOps Summit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Isomorphic Software provides the SmartClient HTML5/AJAX platform, the most advanced technology for building rich, cutting-edge enterprise web applications for desktop and mobile. SmartClient combines the productivity and performance of traditional desktop software with the simp...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo Silicon Valley Call for Papers is now open.
Sharding has become a popular means of achieving scalability in application architectures in which read/write data separation is not only possible, but desirable to achieve new heights of concurrency. The premise is that by splitting up read and write duties, it is possible to get better overall performance at the cost of a slight delay in consistency. That is, it takes a bit of time to replicate changes initiated by a "write" to the read-only master database. It's eventually consistent, and it'...
Node.js and io.js are increasingly being used to run JavaScript on the server side for many types of applications, such as websites, real-time messaging and controllers for small devices with limited resources. For DevOps it is crucial to monitor the whole application stack and Node.js is rapidly becoming an important part of the stack in many organizations. Sematext has historically had a strong support for monitoring big data applications such as Elastic (aka Elasticsearch), Cassandra, Solr, S...
If you are within a stones throw of the DevOps marketplace you have undoubtably noticed the growing trend in Microservices. Whether you have been staying up to date with the latest articles and blogs or you just read the definition for the first time, these 5 Microservices Resources You Need In Your Life will guide you through the ins and outs of Microservices in today’s world.
This digest provides an overview of good resources that are well worth reading. We’ll be updating this page as new content becomes available, so I suggest you bookmark it. Also, expect more digests to come on different topics that make all of our IT-hearts go boom!
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor – all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
There's a lot of things we do to improve the performance of web and mobile applications. We use caching. We use compression. We offload security (SSL and TLS) to a proxy with greater compute capacity. We apply image optimization and minification to content. We do all that because performance is king. Failure to perform can be, for many businesses, equivalent to an outage with increased abandonment rates and angry customers taking to the Internet to express their extreme displeasure.
Right off the bat, Newman advises that we should "think of microservices as a specific approach for SOA in the same way that XP or Scrum are specific approaches for Agile Software development". These analogies are very interesting because my expectation was that microservices is a pattern. So I might infer that microservices is a set of process techniques as opposed to an architectural approach. Yet in the book, Newman clearly includes some elements of concept model and architecture as well as p...