Data… where has it been, and where is it going?

10 June 2022

Neil Thacker, chief information security officer

Neil Thacker, chief information security officer

In the early days of the cloud, keeping a close track of data flows was at the forefront of every IT and security leader's mind. Promising a data transportation revolution, the cloud necessitated new levels of vigilance in order to keep on top of the flow of information, and the demand for visibility increased amongst CISOs. With the introduction of GDPR to the data landscape, alongside increasing cloud adoption, it became a legal obligation for organizations to understand and manage the flow of their data to ensure compliance.

Today, however, as we approach the era of cloud-first computing, the monitoring of data flows has fallen in priority for many. Explaining to stakeholders and fellow CISO’s why they should care about the geolocation of data can feel like a mean feat - but in the current climate of geopolitical instability, properly managing and mapping data flows is no longer optional, but a matter of critical security.

The movement of data through the cloud occurs at almost every business. Whether that’s sharing files between departments and agencies or collaborating with supply chain partners internationally, the transfer and flow of data is a crucial function of conducting business. Unfortunately, the ubiquity of the cloud has brought with it a false sense of security and there's a growing misplaced assurance on data residency, the actual location of your data, and data sovereignty, the laws and governance structures your data is subject to.

Given the current geopolitical situation, IT and security leaders need to open their eyes to their data’s location. In a legislative sense, it’s critical that leaders have full visibility of the regions their data is passing through, being transferred to, and originating from. On the surface, it may seem obvious: you’re a company based in the UK, using a cloud service provider based in the US - that's two locations through which your data flows, right? Wrong. Your data will likely pass through a myriad of locations, especially in the world of cloud processors and sub-processors, which may be spread across the globe. During periods of sustained geopolitical unrest, this places your data, and therefore your business, at risk. For the purposes of legal, regulatory, and internal data protection, context is key, and closely managing where data is stored, processed and archived is critical.

So, how can IT and security teams better keep a track of their data flows? The key is taking a data-centric approach to security. It's important to implement systems that allow you to follow your data from and to user locations as well as to and from cloud applications. 


Throughout the data journey, you can see where various policies are triggered and applied as information passes through different regions. These policies can manifest in a number of ways, from user education reminders, to completely blocking traffic all together. Being able to closely monitor this journey allows security teams to gain clear insight into the flow of data, meaning they can intervene in regions that could cause potential issues, or where malware is attempting to propagate from apps as it is from Amazon S3 in the above example, and enforcement and education policies can be applied.

In today’s interconnected world, taking an ongoing, data-centric approach to information mapping is crucial as it offers the visibility you need to secure a global cloud perimeter, manage migrations, and avoid potential legal ramifications. In addition, continuous security assessments help you navigate the risks associated with rising geopolitical tensions, and safeguard other potentially contentious data journeys, such as your supply chain.

It’s important that we as a community begin the process of rearming ourselves with awareness and oversight of data movements. We have to acknowledge that information is no longer static, but constantly flows through third-party cloud services and data centres around the world. This process of re-education and reappraisal could save your organization from a potential data disaster.