How Data Sovereignty and Data Privacy Affect Your Kubernetes Adoption
In May, Meta was fined a record $1.3 billion for violating data sovereignty regulations by transferring user data from the European Union to the United States. While all companies might be affected by data privacy and data sovereignty rules, if you work in a regulated industry or government role, you have to take extreme care to ensure that data is managed and protected within sovereign boundaries.
Application modernization and the shift to Kubernetes and cloud native technologies create additional complications as you work to address data sovereignty requirements and simultaneously adapt to the rapidly evolving cloud native ecosystem.
Many organizations turn to public cloud services to help jumpstart cloud native efforts, but public clouds might not satisfy data sovereignty requirements since they are unable to guarantee that data will remain within a country or region and stored on infrastructure operated by sovereign citizens.
By ensuring regulatory compliance for a particular jurisdiction, sovereign clouds can satisfy data sovereignty and other regulatory requirements. If your organization operates in multiple jurisdictions, you can consider using sovereign clouds to address IT needs in those regions, especially regions where your operations aren’t large enough to justify the expense of a data center.
However, you need to make sure that any sovereign cloud you use also offers full support for the Kubernetes ecosystem, including management tools, so your modernization efforts aren’t hampered.
Regulated Industries, Sovereign Clouds and Kubernetes
According to this year’s State of Kubernetes survey by VMware, Kubernetes offers significant operational and business benefits for companies that adopt it, so there are good reasons for regulated industries to modernize.
In another data point from the survey, Kubernetes stakeholders said they are experiencing both direct and indirect business benefits that are hard to ignore.
As your applications are modernized, you need Kubernetes platforms and tools everywhere you operate. Choosing the right management tools is essential. For maximum benefits and minimum friction, you need the same tools everywhere, and those tools have to help ensure you don’t violate data privacy or data sovereignty regulations. Three attributes are especially important for regulated industries:
- Ability to standardize security policies
- Data protection with fine-grained control
- Automation for Kubernetes operations at scale
These capabilities can help you strengthen security, avoid data management mistakes that could violate sovereignty and avoid misconfigurations due to user errors.
A SaaS-based hub for multicloud, multicluster Kubernetes management is often a great way to simplify Kubernetes operations and deliver consistency and automation. However, if you’re in an industry concerned about data privacy and data sovereignty, SaaS might not be an option. In that case, you need tools that can address the unique concerns of your industry and that can operate everywhere you do.
Governments are tasked with storing a wide range of critical data — from the tax records of citizens to health information to national security secrets — and ensuring that all data is maintained securely within national borders and protected from both cybercriminals and international espionage. Software modernization is critical to these efforts. Although governments often face unique constraints, they need access to the same cloud technologies and cloud native methods as the private sector.
According to this year’s State of Kubernetes survey, government entities faced greater Kubernetes management challenges than any other industry, particularly meeting security and compliance requirements(81% of government respondents see this as a challenge, versus 52% overall) and integrating with current infrastructure(45% vs. 41%).
This is almost certainly due to the critical importance of security and the age and complexity of existing infrastructure combined with inadequate internal experience and expertise(65% vs. 57%). Governments are much more likely to operate on-premises or in a single public cloud, likely a sovereign cloud.
Global banks and financial services companies face significantly different challenges due to the need to operate in many jurisdictions, as well as substantial increases in regulation aimed at the industry. A large financial services company might have to comply with sovereignty laws in dozens of countries, and the regulatory environment is more onerous than in most other industries.
According to a 2021 report, 62 countries had imposed a total of 144 restrictions, double the number of restrictions that were in place just five years earlier. New regulations govern both personal data and finance data, including banking, credit reporting, financial, payment, tax, insurance and accounting.
The State of Kubernetes survey found that financial services companies face greater than average challenges (although less than the public sector) when it comes to integrating with current infrastructure and meeting security and compliance requirements. Inadequate internal experience and expertise are also a concern.
Financial services companies prefer commercial, third-party Kubernetes management tools versus open source tools and are more likely to operate in multiple clouds (86% vs. 76% of all respondents). Presumably, this includes sovereign clouds, since “enable data sovereignty” was given as a reason for multicloud operations by 36%, more than any industry outside of government.
While few healthcare organizations face the kind of multi-jurisdictional sovereignty complexities of global financial services, mandates for protecting patient data make data sovereignty and data security just as critical. As a result of the Covid-19 pandemic, new applications and functionality are being added at a faster rate than in the past.
For example, hospitals might want to deploy Kubernetes in multiple clinics in order to run new containerized software for booking appointments and scheduling vaccinations. Additional challenges in healthcare result from the need to connect new and old systems as well as cope with the unusually high rate of mergers and acquisitions in the healthcare industry.
As the walls of the traditional data center evaporate, the risk of data loss and the challenges of data privacy and sovereignty increase. Healthcare institutions must evolve legacy software and processes to meet new digital delivery demands while staying compliant with patient and data privacy regulations like HIPAA in the United States, GDPR in Europe, etc.
Listen to the Unexplored Territory podcast and register for our upcoming webinar on Aug. 1 to learn how VMware Tanzu Mission Control is being used to address the unique challenges these industries face.