Over the past few weeks, our UK team has been very excited about the expansion of our NewEdge infrastructure, specifically the addition of a new data centre in London. Knowing that this was the fourth data centre in the UK, I cornered our EMEA CISO Neil Thacker, and our new UK public sector lead Tim Parkins, to find out what all the fuss was about.
Emily: Can you explain to me, why is this fourth data centre in the UK so exciting? I read this blog post about NewEdge which told me that “understanding coverage isn’t just about counting data centres”… so what’s so cool about this one?
Neil: Our NewEdge infrastructure includes two different types of data centres, Data Planes (DPs) and Management Planes (MPs). You are right that we already have three Data Planes in the UK—two in London and one in Manchester, all “full compute” locations with the full stack of our security services available. These Data Planes handle our UK customers’ data traffic within the UK jurisdiction. But up until a month ago, we relied on European or rest-of-world data centres to provide the Management Plane.
Emily: OK, so this is the first UK Management Plane. Remembering that I do not have an engineering background, can you explain the difference?
Neil: Our Data Planes are the data centres through which our customers’ traffic traverses. They are where the traffic processing and security controls are applied. We locate Data Planes as close to our users and their office locations as possible, so our service can be as fast and low latency as possible. These Data Planes also have extensive interconnections and peering – remember we directly peer with Microsoft, Google, AWS, Salesforce, Akamai…all the major SaaS companies…in every location possible in order to optimise traffic from the Data Plane to the user’s ultimate destination for the best possible user and application experience.
If Data Planes process the actual traffic, then you can think of the Management Planes as the place where the administration of the customer’s tenant and Netskope services happens. Management Planes host the Netskope Admin UI, so this is where users get configured, policies are defined and it’s also where sensitive metadata and logs are stored. The Management Planes are also where Netskope’s out-of-band, API-based services and complementary solutions get delivered from (I won’t list those, but we are able to be really clear with customers about what goes where in our infrastructure, which is really important so customers can make informed decisions about what they use).
Emily: That makes sense (thank you for keeping it simple for me). So—given we have loads of customers in the UK, and only Data Planes over here until recently—presumably our service works just fine for UK customers when using any of our global Management Planes?
Neil: Sure it does, and we have hundreds of customers that can attest to this fact. But for some customers, especially those in highly regulated industries such as finance, government, or healthcare, data sovereignty and jurisdiction requirements encourage additional levels of geographic control over their data. For most organisations, a local Data Plane is sufficient to comply with all necessary laws and regulations about protecting and securing sensitive data. We designed our platform for “data minimisation” or “privacy by design.” Technical approaches like only storing transaction logs (not the original data file) and policies around data retention in the MP (wherever it resides), are typically good enough for the vast majority of organisations’ regulatory requirements and preferences. But not all….
Emily: Who are we talking about—who has more specific jurisdiction requirements?
Tim: For starters, UK public sector organisations. Or those who supply UK government departments and have to comply with the more stringent data supply chain guidelines that are a condition of those contracts.
Neil: Certain sectors can impose commercial terms restricting data transfers. This is typically based on relevant sector guidance (rather than laws) or general perceptions in relation to personal data that leaves the UK. A couple of good examples are the UK National Health Service’s NHS and Social Care Data: Off-shoring and the Use of Public Cloud Services Guidance and the Financial Conduct Authority’s Guidance for Firms Outsourcing to the Cloud and Other Third Party IT Services. In each instance, there is room for commercial interpretation which can sometimes lead to interpretations that data residency is optimal.
And it is also a consideration for any industry that might have specific laws around, for instance, export controls. We work with a large British defence supplier and the UK has laws around the export of both products and data which mean they prefer to be able to demonstrate that everything we are doing for them is happening on British soil.
Tim: The new NewEdge data centre in London is the final piece in the puzzle of our post-Brexit European network. For a long time, we have had Management Planes in Amsterdam and Frankfurt, which tick the compliance box for our EU/EEA customers. Plus we have one in Zurich because the Swiss financial sector needs local jurisdiction within Switzerland. We also have one in Riyadh for customers with the same concerns in the Kingdom of Saudi Arabia. And now we have London for the UK. We cover other regions as well of course, with Management Planes in strategic jurisdictions all over the world. We also ensure customers always have access to their company-specific logs and metadata in any of our Management Planes. This allows them, if needed, to download and store this data on-premises or in a local public cloud instance if required for their specific country. This isn’t just a UK issue and we are constantly evolving our infrastructure to address specific customer needs—as legislation imposes data sovereignty and jurisdiction requirements in different nations. We also have plans to add even more Management Planes, positioned in strategic locations around the world.
Emily: Is this how all SSE vendors organise their infrastructure?
Neil: I wish that was an easy question to answer. The reality is that other companies are often opaque about their infrastructure. For example, not always being clear about whether the data centre has “full compute” or all services available, or if it’s even accessible to all customers without additional surcharges or fees. And everyone uses different names for these data centre descriptions—in part because the data centre infrastructure is organised differently too. The thing is, working with so many large global customers—and national governmental departments around the world – we can’t afford to be opaque in this area. When I talk to customers and prospects our transparent infrastructure approach is definitely one of the things that attracts them to us for SSE and SASE.
Emily: OK so give us a couple of tips for things organisations can ask vendors to identify how a platform infrastructure complies with their specific regulatory requirements…
Neil: They should ask whether they are able to request and get access to event data, metadata, logs, and information on policy violations from their cloud security vendor. Even more importantly, they should confirm that end-user personal data can be limited to specific countries (whether that’s in the US, UK, Switzerland, Saudi Arabia or the EU—whatever jurisdiction they need). It’s also important that customers can define “zones” in which they want to contain their user