How does Data Sovereignty affect ELNs? And why do CIOs and IT Professional need to care?
What is Data Sovereignty?
Data Sovereignty relates to the data location at a granularity sufficient for placing it within the borders of a particular nation-state. This subjects the data to the laws of the legal jurisdiction in which the server that hosts it is located, wherever that may be at any given time.
Why could Data Sovereignty issues now affect ELNs?
Until recently most organizations would not have considered having an ELN hosted on a public site due to concerns about their data integrity and a perceived mistrust in hosting site security.
Now with hosted multi-tenancy ELNs coming on line, some of those fears are decreasing for small companies and academic laboratories. This is driven by the low cost of a SaaS (software as a service) model.
There are still concerns for larger organizations in retaining their data on a public or multi-tenant infrastructure because:
- R&D Data is still considered to be of utmost importance; and
- Legal departments want to retain complete control of their organization’s data.
Coupled with ELN users spanning the globe with both internal and external collaborators, the situation becomes a little bit more complicated. One issue in particular pertains to restrictive data sovereignty regulations.
So what does this mean and why should I care?
The most cited reason that data sovereignty is important is:
- To prevent that data from being subpoenaed by a foreign power (through legal mechanisms in the nation state where the data is stored, e.g. the U.S. with broad powers due to the Patriot Act) (Source http://gigaom.com/cloud/data-sovereignty-issues-still-weigh-on-cloud-adoption).
Data Sovereignty topics for discussion within an organization should include;
- Do you need to know where (geographically in the world) your data is being hosted?
- Are you prevented from storing certain data in particular places? What are the restrictions? Is metadata included in the restrictions?
- Do you need to restrict access to content from certain geographies?
- How much burden placed on the end user is acceptable? If items cannot be cached locally, will they accept latency, or will they try to usurp the system and store things outside the sanctioned system thereby breaking the rules?
- Have you found any conflicting regulations you are bound by? Privacy laws in one country versus another that you do business in. How do you overcome these conflicts?
- On top of knowing where your data is and being able to control where it is goes and is accessed from, are there other sovereignty issues faced by multi-national organizations?
These points raise questions for CIOs and other IT professionals related to ELN implementation. Is it possible to meet these challenges? If so, how?
Topics for discussion within the IT department (that might help understand the potential problem and some of the downsides include);
- Data & content security / sovereignty / encryption
- Identity management / Authentication / Authorization
- Installation / deployment / patching
- Disconnected silos of information
- Administration overhead
- Network performance
- User Experience
IT departments will often try to address as many of these items as possible with their limited resources by configuring user permissions. Although, configuring permissions may meet the short term requirements, it is frequently not the appropriate solution. Configuration of permissions in a live global solution can be difficult, at best, to manage and police. Ideally what is required is a single system that ‘knows’ what content to provide to users based on;
- Permissions - absolute collaboration permissions set by a user.
- Supplementary markings – Classification of content allowing content to be made available
- Geography – access depending on the user location (an external service understands where they are, and passes a user session variable)
- Clearance levels – Access depending on if you are staff or a sub-contractor or partner.
- Administrators - Should the Admin see data content while still being allowed to administer the data?
A framework of permissions, enabled through configuration, associated to users based upon content, location (within the ELN), geographic location, user role and other system set parameters, ensures that regulations are more easily met with the fewest resources.
The concerns listed above in this article may seem to be a little farfetched, but the implementation of data sovereignty controls is currently a high-priority active requirement for a number of organizations we are involved with within the ELN space and in other systems.