The notions of sovereignty and localization must be broadly applied when it comes to data centers since enterprises and governments are under tremendous pressure to establish and maintain trust around data, according to David Hirst, Group Executive of Macquarie Telecom Group.
Data centers, as a component of a much larger “ecosystem of trust,” he claimed, are crucial to the maintenance of trust surrounding data. This trust is primarily based on a symbiotic relationship between the customer and the data center service provider and is anchored on the management of the physical and logical security of a data center and its related infrastructure.
“Trust needs to be built and earned on a foundation of services and expertise that the data center operator takes accountability for, and which stacks up when independently verified.” said Hirst.
Hirst emphasizes the need of comprehending the entire security spectrum and how businesses frequently find it difficult to do so. Smart hands and feet are required in today’s data centers. Operators of data centers must show that they are liable for their own standards of data security and the management of operational data. Customers of a data center’s colo must be confident that the center’s entry points are safe, that firewalls are patched, and that backups are prepared.
Businesses today must take into account risks that are beyond their immediate control, just like in every other aspect of life. Addressing the impacts and knock-on effects of geopolitically motivated or activist-driven attacks on internet infrastructure or data also involves doing so.
“Data center operators obviously have a huge part to play here in protecting data and infrastructure at the level of the primary threat. If government agencies are disrupted from ensuring that open and fair information is shared with its citizens, businesses can also suffer as a result of misinformation.” says Hirst
He claims that in order to prevent this ripple effect and to directly benefit the governments employing those centers, it is crucial to maintain the security and availability of those government operations and the data contained within them. This is where data center sovereignty, which is defined as preserving power and control over data within jurisdictional boundaries, comes into play.
This means that in reality, no data that is “at rest” or “in transit” should leave Australian jurisdictions without the owner’s or custodian’s express consent. Additionally, the infrastructure required to support sovereign data likewise needs to be sovereign.
Data centers are the most concrete part of what is a long chain of interconnected duties, according to Hirst, who concludes by noting that he thinks the “data center trust ecosystem” is highly subtle and complex.
Commercial agreements, KPIs, and SLAs are of course the foundation for any data center operation’s definition of security and success. However, in his opinion, they are based on trust, with the data center operator, the colo clients, and their consumers all being represented.
“For customer organizations, there is only one question to consider, which is whether you can truly say that your data center partner today is your trusted partner.”
Data Residency vs. Data Sovereignty
Data Residency is concerned with the geographical location in which a business or other body physically stores its data for policy or regulatory reasons.
A data residency requirement only specifies where the data is physically stored. Unlike Data Sovereignty, Data Residency does not require the data be subject to the legal protections and punishments of the resident country. In practice Data Residency and Data Sovereignty are often confused with one another, largely because they are both aspects of international data privacy
Australia’s national Data Residency and data localization rules, collectively known as the Australian Privacy Principles (APPs), are contained largely within two acts of Parliament.
Australia Privacy Act 1988: This act initially created the APPs and still stands as the cornerstone of Australian rules for the handling of personal data.
Privacy Amendment Act 2012: This act modified the original Privacy Act, including the introduction of new rules for the processing of personal information by corporate and government entities.
Other smaller amendments have also been made to the APP since 1988. The Privacy Amendment Act 2017, for example, established the Notifiable Data Breaches (NDB) scheme.
This scheme introduced requirements for notifying affected individuals when their personal data was included in a data breach.
