One Snowflake, A number of Vaults: A Resolution to Information Residency

Information residency necessities, which govern the place delicate information will be saved or processed within the cloud (or in an on-prem server) are a standard function of many fashionable information safety legal guidelines. Due to information residency necessities, the situation of delicate information has vital regulatory compliance implications in nations and areas around the globe.

On this publish, we’ll have a look at the challenges of managing information residency with Snowflake. We’ll begin by analyzing how Snowflake Cloud Areas tackle information residency challenges, and contemplate the compliance implications of this method — particularly when loading information from cloud storage. Then, we’ll have a look at the right way to simplify information residency compliance utilizing a number of regional information privateness vaults.

Let’s start with a deeper dive into information residency, and the way it impacts compliance.

If you work with personally identifiable data (PII), the place you retailer and course of this data has a direct affect in your authorized compliance necessities. Some jurisdictions have rules that govern the safety and privateness of their residents’ PII, limiting how and the place it’s utilized by companies and different organizations.

For instance, the private information (i.e., PII) of European Union residents can’t be transferred outdoors the EU with out acceptable safeguards.

The legal guidelines of every jurisdiction affect the way you transmit, handle, course of, and retailer delicate information in that jurisdiction. As a result of information residency dictates the place (geographically ) information is saved within the cloud, information residency turns into a essential concern in cloud environments that deal with delicate information.

Cloud service suppliers have information facilities situated in a number of areas around the globe. When companies join cloud providers and configure storage areas and different tooling, they choose particular areas the place their information is saved.

For a lot of companies, the collection of areas and places for information storage is an afterthought.

However, treating this determination as an afterthought is a expensive mistake that may come again to hang-out you if you happen to’re dealing with delicate information. That’s as a result of selecting storage areas is a weighty determination that may have a long-term affect on compliance, and on your online business operations.

Snowflake Cloud Regions allow you to select the geographic location the place your Snowflake information is saved throughout the info facilities supplied by the Snowflake-supported public cloud suppliers — AWS, GCP, and Azure. Every cloud supplier provides a set of areas throughout the globe, with particular geographic information middle places in every cloud supplier area.

Supply: Snowflake Documentation Supported Cloud Regions

If your organization makes use of Snowflake Cloud Areas, you’ve gotten your alternative of suppliers, in addition to areas the place your information will be saved. If you create an account to deploy and arrange Snowflake, whichever area you choose turns into the first location for information storage and for information processing sources.

At first look, it’d look like Snowflake Cloud Areas gives a easy, efficient answer to your information residency and compliance issues. However for international firms who want international analytics, it isn’t that straightforward. That’s as a result of, as famous within the Snowflake Cloud Areas documentation:

Every Snowflake account is hosted in a single area. For those who want to use Snowflake throughout a number of areas, you should preserve a Snowflake account in every of the specified areas.

Because of this for every area the place your online business operates that has information residency necessities, you’ll want a special Snowflake account hosted in that area. Compliance turns into more and more advanced as you scale globally to increasingly areas around the globe. With this method, working international analytics operations throughout totally different accounts to get a complete view of your online business could be a large and ongoing problem.

As a substitute of managing a number of Snowflake accounts with a number of Snowflake situations distributed in numerous areas around the globe, you’d quite preserve a Snowflake occasion in a single area to assist international information operations. Nevertheless, you continue to want to think about the necessity to honor information residency necessities for delicate information so you may uphold your compliance obligations and safeguard buyer belief.

For instance, if you happen to acquire the private information (PII) of consumers situated within the EU, however your Snowflake occasion is situated some other place, then that you must assume by way of the privateness and compliance affect of storing and processing that information.

Snowflake additionally lets companies load data from cloud storage services like AWS S3, Google Cloud Storage, Microsoft Azure — no matter which cloud platform hosts the companies’ Snowflake account. This will current further challenges when working to make sure information residency compliance.

For instance, let’s say that your organization collects PII from each US and EU prospects utilizing its web site. And, let’s say that this delicate information is then saved in a Google Cloud Storage bucket that’s situated within the AUSTRALIA-SOUTHEAST1 (Sydney) area.

How does transmitting this PII information to Australia, after which storing it in Australia, have an effect on your compliance with rules just like the EU’s GDPR?

The reply is: doing this probably places you out of compliance with GDPR. This is only one instance of how the situation the place delicate information is saved — and the place it’s processed and replicated — complicates the compliance necessities confronted by companies that deal with delicate PII.

Companies that deal with PII should guarantee regulatory compliance by aligning their alternative of cloud storage areas with the info residency necessities of markets the place they function.

And past compliance points, companies must also contemplate information switch prices. Transferring information between cloud storage areas can incur vital further prices, particularly if your organization is often transferring giant volumes of knowledge. So, we not solely have compliance issues with cross-border transfers of PII, we even have a price concern.

So, to briefly recap our drawback:

  • Nations and areas have their very own legal guidelines and rules that govern the right way to deal with their residents’ delicate information (PII).
  • The geographic location the place your online business shops and processes delicate information impacts whether or not you’re compliant with the information residency necessities of the markets the place you use.
  • For those who use Snowflake to carry out analytics on PII, then the complexity of assembly your compliance obligations will rely on the situation of your Snowflake account.
  • For those who load PII information into Snowflake from cloud storage, then your compliance obligations are additionally impacted by the situation of your cloud storage.

So, how can we meet information residency necessities, assist international analytics operations, and take away the operational overhead of managing a number of Snowflake accounts and situations?

We are able to resolve our information residency issues and shield delicate information with a number of information privateness vaults.

data privacy vault isolates, protects, and governs entry to delicate buyer information. Delicate information is saved within the vault, whereas opaque tokens that function references to this information are saved in conventional cloud storage or utilized in information warehouses. A knowledge privateness vault can retailer delicate information in a selected geographic location, and tightly controls entry to this information. Different programs solely have entry to non-sensitive tokenized information.

Within the instance structure proven beneath, a telephone quantity is collected by a entrance finish software. Ideally, we should always de-identify (i.e., tokenize) this delicate data as early within the information lifecycle as attainable. A knowledge privateness vault lets us do exactly that.

This telephone quantity, together with another PII, is saved securely within the vault, which is remoted outdoors of your organization’s present infrastructure. Any downstream providers — the applying database, information warehouse, analytics, any logs, and so forth. — retailer solely a token illustration of the info, and are faraway from the scope of compliance:

Instance of decreasing compliance scope with an information privateness vault

As a result of no delicate information is saved outdoors the info privateness vault, your compliance scope is restricted to only the vault. This removes the compliance burden out of your Snowflake occasion.

Instance pipeline the place delicate information is remoted and guarded inside an information privateness vault

To fulfill information residency necessities, we are able to lengthen this method through the use of a number of regional information privateness vaults positioned close to prospects whose information is topic to those necessities. With delicate information saved in these information privateness vaults, Snowflake accommodates solely de-identified, tokenized information. It not issues if you happen to function a single international occasion of Snowflake or a number of Snowflake accounts throughout totally different areas as a result of information residency issues not apply to your Snowflake situations.

Compliance with information residency necessities now relies upon solely on the place your information privateness vaults are situated. You not want to fret about information residency for all of the totally different elements of your information tech stack, together with cloud storage and Snowflake. All delicate information goes into your information privateness vaults, and these vaults grow to be the one part of your structure topic to information residency necessities.

With Skyflow Data Privacy Vault you may host your vaults in all kinds of areas around the globe. You too can route delicate information to an information privateness vault situated in a selected area for storage.

For instance, contemplate how the applying structure proven beneath helps information residency necessities from a number of areas:

Utilizing vaults to fulfill a number of information residency necessities for one Snowflake occasion
  1. Your organization’s e-commerce web site collects buyer PII at any time when a buyer locations an order.
  2. On the shopper aspect, the web site detects the shoppers’ location.
  3. Detecting that the client is within the EU, the client-side code makes use of Skyflow’s API to ship the PII information to your organization’s information privateness vault in Frankfurt, Germany.
    Be aware: For patrons primarily based within the US, the PII information is as an alternative routed to the info privateness vault within the US (on this case, Virginia).
  4. This EU-based buyer’s delicate PII is saved within the EU-based information privateness vault, and Skyflow’s API responds with tokenized information.
  5. The client-side code sends the client order request, now with tokenized information, to the server.
  6. The server processes the order, storing the info (now de-identified and tokenized) in cloud storage within the “Oregon, US” area.
  7. On the finish of the week, your organization’s Snowflake occasion in Tokyo, Japan, masses the info (already de-identified and tokenized) from cloud storage to carry out analytics.

Through the use of a number of vaults situated in numerous areas around the globe, you may simply handle all your delicate information to satisfy numerous information residency compliance obligations throughout every of your international markets.

The information privateness vault architectural sample vastly simplifies the challenges of knowledge residency and compliance. Moreover, by de-scoping Snowflake from the compliance burden of knowledge residency, international analytics executes as regular — inside a single Snowflake occasion.

Compliance rules and their information residency necessities require that companies uphold stringent requirements for information localization, safety, privateness, and safety to cut back their threat of breaches, penalties, and reputational harm. Nevertheless, companies with prospects (and information) situated in quite a lot of international areas face the added problem of managing a number of rules throughout jurisdictions.

Utilizing information privateness vaults lets companies simplify their international compliance obligations round information residency as they relate to Snowflake and cloud storage.

Utilizing an information privateness vault, firms can isolate and safe all delicate information in a number of information privateness vaults, eradicating Snowflake and cloud storage from their compliance footprint. On the similar time, by leveraging information privateness vaults in numerous areas, firms may also help be certain that delicate information is saved and transmitted in line with the legal guidelines and rules of every particular area the place they function.