Cloud, compliance, and control: why data sovereignty concerns are driving repatriation

More data may be stored in the cloud than ever before, but a growing number of organisations are repatriating data in the face of unforeseen challenges

240411 Quest Header A2 1

For a decade or more, it seemed like the cloud was being touted as the solution to everything - a solution for any business problem you could name.

The reality for firms that have embraced the cloud as part of their technology stack is somewhat mixed. Unexpected costs and hurdles have forced businesses to reexamine exactly where the cloud fits in their overall strategy, with some surveys reporting 70-80% of companies looking to repatriate data back out of the cloud each year.

Rather than retreating from the cloud in the face of complexities, business leaders should see this as a pivotal moment for strategic insight. Mastering both the technology and relevant data strategies will enable businesses not only to navigate potential pitfalls but also to leverage the cloud’s inherent flexibility, scalability, and access to cutting-edge technology. This approach transforms current challenges into dynamic platforms for innovation and sustainable growth.

The demand for data

Migrating data and services to the cloud has always come with its own challenges. Over time the nature of these has evolved: new technologies require refactoring existing codebases to take advantage of them; there’s more data than ever to collect, store and manage, and companies must deal with both variable demand volumes and individual demands requiring instantaneous responses.

As Dr. Michael O’Donnell, principal analyst at Quest Software puts it, many companies are faced with consumer demand for instant availability, at any time: “the application is always on, the servers are always on, there is no downtime. If there’s an interruption in service, that’s an interruption in your revenue stream. And that causes complexity when you want to move things.”

Complexity and challenges

The challenges in cloud migration are complex and interrelated - and it’s now not always a case of migrating to the cloud as much as it’s a case of migrating across cloud providers.

The difficulty is in how to manage the impact that the solution to one challenge has on the ability to manage all the other business challenges. A switch of provider to help cope with data storage costs might require a change to a codebase or risk an impact on service levels. Organisations want and need flexibility on where they put their data, that’s both production data and backup data, if a disaster recovery is needed.

A key challenge in recent years has been data sovereignty, as countries around the world have codified and strengthened laws around privacy and handling of personal data. For a firm that directly manages 100% of its tech stack and can, in theory, point to all the physical hardware it uses on a map, understanding whether there is compliance with the laws of a particular country is relatively straightforward. Once the tech stack, or any of it, moves to the cloud, compliance considerations expand: are all businesses’ cloud providers working within the relevant laws for all the markets it operates in? Has moving to the cloud simplified a technical challenge only to introduce uncertainty around legalities?

There’s also the issue of cost, which is not always as predictable with cloud providers as it might have been with traditional models, as O’Donnell points out: “It’s no longer a case of having a contract with a blanket ELA – yes there are service tiers, but most companies need elasticity so you’re subject to prices that fluctuate and then how do you manage costs? When it comes to cloud service providers are you better off consolidating your vendors, or is it ​​more beneficial to have competition?”

Cost is a huge driver of repatriation - 42% of firms responding to a 2022 survey cited unexpected costs and growing data volumes as reasons for moving off public cloud architecture.

In other cases, companies may have approached the cloud with unrealistic expectations. Too many imagine that simply moving everything they were already doing (“lifting and shifting”) onto the cloud will solve their problems without addressing existing technical debt, limiting the benefits, and potentially introducing new issues around latency and security.

O’Donnell makes the point that firms are taking on board what they saw happen to early adopters: “The lessons have been learned now, where they will do an assessment on whether something should move to the cloud. Is it better on premise? Or is it better on a private cloud? Different factors might drive that is, where is your data? Where’s your application? Is there movement between different places? Is re-architecting to Cloud Native required? What magnitude of refactoring is required?”

Taking back control

In the case of data repatriation, it isn’t necessarily a story about backing away from the cloud, but taking control of what the cloud is being used for, and even when it’s being used. There’s little indication of an overall retreat from the cloud, with 9 in 10 firms believing it is essential for growth.

Even where certain kinds of data are repatriated, in some cases firms may use a kind of hybrid system, O’Donnell explains: “It’s very easy to set-up that type of architecture with data replication; using the Cloud and your own physical servers (on-premises) together at the same time, where they’re a mirror copy of each other. If the cloud ever gets ‘too hot’, just turn it off, and we’re going to stay on premises.” The intent is to offer flexibility and give organisations what they need, where they need it, and when they need it.

O’Donnell believes there will also be a trend towards the use of multiple cloud service providers, where firms will make use of cloud service brokerages to switch between instances depending on the relative costs of using each vendor at a specific time, or under specific demand levels.

“We humans tend to want to simplify things, but when it comes to modern IT, sometimes the best thing to do is embrace the chaos,” says O’Donnell. “By forcing simplification, we tend to over constrain ourselves but by embracing chaos, it allows us the freedom to have multiple cloud service providers and to optimize our operations dynamically.”

Given that the choice for business leaders isn’t as clear cut as ‘to cloud or not to cloud’, what are the key things that businesses should take on board in the immediate future - what are market leaders getting right and what should other firms take from that?

The key thing for businesses is to consolidate their view of the organisation’s interconnected infrastructure and global systems, believes O’Donnell.

“By understanding where our data resides and the volume of data at each location, we can streamline our operations; data proximity to the end-user and the application infrastructure correlates to performance,” says O’Donnell. “So, if you move data further away from any of these, that’s going to impact performance. So having a 360 view of your data infrastructure is essential before making any change. You need to know what’s going to be impacted by any future change. Not just on performance but also regulatory impacts such as data sovereignty”

The guiding star of governance

Organisations trying to understand how to manage data sovereignty in the context of the cloud should invest in data governance, make sure they have people with the right skills and knowledge for the regulatory regimes they operate in. They will benefit tremendously from having a data lineage (for visibility) and data quality platform supporting data governance.

This knowledge should be both informing business decisions and separately ensuring that their data is AI ready. Training is crucial to ensure that there’s a wide understanding of the challenges. But it’s important to understand the challenges that any organisation has depending on where it operates and what it’s trying to achieve.

There isn’t necessarily a simple, one size fits all answer to issues presented by data sovereignty and the cloud. Instead, companies need to look at their own needs, their specific challenges and understand how the principles of data governance should drive their strategy.

Data repatriation isn’t necessary just because lots of firms are doing it - the important thing for data leaders is to understand what their firm needs - what data are they collecting, do they have appropriate data governance, do they know where the data lives at all steps in the process? This can have benefits not only in terms of the cloud, but in terms of better availability, visibility and understanding of data across the business.

As technology evolves, the benefits - and the understanding of the benefits - of being in the cloud, have evolved in tandem. Instead of just moving an existing tech stack to run on a cloud server, businesses are turning to cloud native architectures to help them scale their IT operations, meet increased demand, and improve overall performance. Doing so is essential if organisations want to truly benefit from the cloud.

“Organisations want to migrate quickly, effectively, and not have scope creep derail their projects. But so many organisations have migrated to the cloud and not modernised on that journey,” says O’Donnell. “To fully leverage all of the benefits of the cloud, organisations need to modernise their technology and architectures, and embrace the core principles of being cloud native.”

Rethinking how to utilise the cloud

The rise of data repatriation doesn’t indicate that the cloud has failed. Rather, it suggests that understanding of what the cloud can do, and how it should be leveraged has broadened over time. Even if this indicates a short-term tentativeness around how certain kinds of data are handled, over time it should be seen as an opportunity to develop a better understanding of how the cloud fits into wider organisational data strategies.

As much as data sovereignty may drive repatriation of certain kinds of data, it can also become part of how the cloud is used. Once a business has established the correct principles of governance and data sovereignty, it makes it clearer what should and shouldn’t be going into the cloud. This certainty is important if companies are to make the best use of technology on offer.

Organisations making the cloud part of their data strategy need to make sure that they have a clear data strategy in the first place, and that they’re employing people with right knowledge to understand all the implications of that strategy. Doing so will help set firms on the right path to take advantage of all the potential the cloud has to offer while minimising the risks.

To find out more visit