Driven by changing worldwide privacy legislation and regulation, digital sovereignty has become a major concern for organizations worldwide. According to the S&P Global Market Intelligence 2023 Data Threat Report custom survey commissioned by Thales, more than four-fifths (83%) of organizations are concerned about the effect of sovereignty and privacy legislation on cloud deployment plans.
As a leader towards helping organizations simplify governance, achieve regulatory compliance, and reduce risk in the cloud, Thales commissioned S&P Global Market Intelligence to write a Pathfinder Paper to examine the various aspects of digital sovereignty. Some of the key findings help assist organizations with maintaining digital sovereignty.
Privacy, Safety, and Trust
Privacy, safety, and trust lie at the heart of digital sovereignty. The General Data Protection Regulation (GDPR) serves as the most comprehensive legislative example of codifying these protections. Recent initiatives, including the European Union’s Gaia-X, France’s Cloud de Confidance, Australia’s Whole-of-government initiative, and the Digital Operational Resilience Act (DORA), all build upon the concepts of GDPR and but go considerably beyond privacy protection into the field of data and digital sovereignty.
Digital sovereignty regulations mandate that specific restricted or classified data and workloads reside and run in the desired geographic jurisdictions, being accessed only by users in the specific geographies. The proliferation of these regulations is forcing enterprises globally to consider how they will act in each locally governed jurisdiction where they do business. However when considering the cloud, that is easier said than done.
The Impact on Cloud Strategies
What complicates the situation is the high percentage of enterprises that are already multicloud. According to the Thales 2023 Data Threat Report, 79% of organizations are using at least one public cloud provider, and respondents on average are using 2.26 cloud providers. In the same study 64% of organizations said that more than 40% of their sensitive data is stored in the cloud.
Cloud providers are very clear about their “shared responsibility” model, delineating their obligation for the security of the cloud, while the client is charged with the security in the cloud, especially as it is related to data, workloads and access control. However the 2023 Data Threat Report also showed that only 35% of enterprises were “somewhat” or “not at all” confident they can fully identify the location of their data across multiple repositories and only 31% of respondents said they could fully classify their data.
Sovereignty Journey and Sovereignty Controls
Enterprises’ and cloud providers’ shared fate regarding sovereignty, and the process of working toward viable solutions, presents an opportunity. Since sovereignty is initiated by the enterprise and not the cloud provider, it is imperative that enterprises own and maintain sovereignty controls that are independent of any single cloud provider, whether globally or locally. By this definition, sovereignty controls are external to the cloud provider and internal to the enterprise.
Sovereignty represents an essential first step in the cloud journey that should be implemented at the earliest opportunity. S&P Global Market Intelligence outlines the following steps for the digital sovereignty journey and the capabilities Sovereignty Controls should have:
The first step in the journey is to discover, assess risk, classify and protect sensitive data based on specific regulatory requirements. This must be an ongoing practice within organizations, with an automated, continuous assessment enabling organizations to embrace principles of privacy by default and design.
By adopting a “think globally, act locally” design approach, centralized controls can more readily affect local enforcement and ensure sovereignty for specific regions. A variety of controls should be considered, such as:
- Encryption key control: Separation of duties for encryption keys between organizations and their cloud providers is arguably the most important operational sovereignty control. Organizations may consider various levels of encryption key control, from “bring your own [encryption] key” (BYOK), “hold your own key” (HYOK) and “bring your own encryption” (BYOE).
- Protect sensitive data throughout its life cycle: Data needs to have end-to-end protection, encrypted throughout its life cycle whether at rest, in motion or in use. Data-at-rest encryption is the protection of stored data throughout its life cycle. Likewise, any time stored data is transmitted, the systems and networks communicating that data must also guard against data loss.
- Global / local design: Designing a global sovereignty strategy to act upon locally, enterprises stand a much greater chance of continued success. By avoiding one-off sovereignty initiatives, enterprises can avoid siloed sovereign clouds that may be too brittle to maintain in the long term and introduce lack of optimization and misconfiguration.
- Control access and identities: Organizations need to apply role-based access control for all access to sensitive data. Access should be given on a “least privilege” basis, and multi-factor authentication (MFA) should be adopted across cloud platforms to prevent unauthorized access.
Along with assessment and design, implementation must be a continuous phase for achieving sovereignty. As implementations mature, organizational effectiveness is measured in the controls applied, as well as the ability and readiness to change the controls.
To dive deeper into each of the topics of the Pathfinder Paper download your copy here.