If you use several cloud services combined in one sequence of a business process, we speak of multi-cloud usage. The chances are high that the same data and cloud services are used in several of your company's business processes. Congratulations - you have internalized the cloud. And our condolences - you've reached the highest level of complexity for data protection.
While we have primarily dealt with the topic of data residency and the associated encryption issue in this trend blog so far, Part V will delve deeper into the special challenge of data protection in the multi-cloud. At the same time, we will show that the insights gained from this also lead to effective data protection while at the same time complying with data residency regulations. In order to make a generally valid statement, we assume the following scenario:
You are a European company with a local store with your local telecom provider, use an American CRM solution hosted in Ireland and order products from a Chinese provider whose solution runs on AliCloud in China. Your customers are primarily in Europe. These include citizens from all over the EU as well as locally based citizens from India, China, the USA and Canada.
The following challenges arise:
- You should not send any data about your customers, consisting of citizens of Europe, the USA and Canada, to the Chinese provider's solution.
- You should not store any data about your customers, which include citizens from Europe, China and India, in the American CRM solution. For European customers, data storage on the system in Ireland is justifiable because Ireland is subject to the GDPR. For citizens from India and China based in Europe, the situation is less clear.
These two entirely plausible restrictions alone highlight the problem of overlapping regulations. With unencrypted data, you run the permanent risk of violating regulations in the USA, Canada, India, China and/or Europe.
With unencrypted data, you run the permanent risk of violating one or more data residency regulations.
What would this look like with multi-cloud encryption?
You enter a new customer of Indian nationality, currently residing in Germany, in your CRM system. The BYOE encryption recognizes the corresponding nationality and uses the Indian key for the encryption of the PII (Personal Identifiable Information), which is compliant with Indian regulations. This customer now orders an item from China on your website. The store solution then triggers the order on the Chinese platform. The parcel is addressed so that it is sent to your German distribution center. The QR code refers to your CRM solution to identify the customer. The code is scanned in China. The CRM side recognizes the request, but authorizes the Chinese supplier as not eligible for PII of Indian citizens. Upon confirmation, only the German distribution center is displayed. Once in Germany, German customs scans the parcel. The official nature of the request from local authorities is recognized by the CRM solution and the real recipient's information is displayed to the customs officer. The cleared parcel is then sent to the distribution center. Here, the QR code allows the real delivery address to be printed on the parcel. Delivery then takes place.
If, on the other hand, the customer was a Chinese citizen and the request came from a Chinese exporter, the CRM system might decide differently and would already have displayed the real destination address.
The example is intended to show that different cloud instances, which operate with different keys, offer new possibilities for displaying data or not. If encryption is used in this way (e.g. on a country-specific basis), it substantially increases data security while at the same time complying with different national data protection and data residency laws.
If you have a similar multi-cloud situation with customers from all over the world, talk to us. We are looking for customers like you with the special challenges of tomorrow - to offer you the secure data protection of the future.
This was the provisional conclusion of the trend blog series "Data Residency". We hope we were able to bring in new perspectives and, ideally, point out solutions for your challenges in the areas of data security and data residency. Was the trend blog too complex, too simple, too superficial, just right, ...? We look forward to any constructive feedback.
DE 
EN 