With increasing adoption of cloud services by the modern enterprise, data sovereignty becomes more and more crucial due to the extension of the attack surface, and escalating technical challenges in addressing it.
Maintaining control over the data Confidentiality, Integrity, Availability (CIA) can be a nightmare in our hybrid cloud world, where the responsibility and controls of cloud resources and services, due to their nature, could be limited for the data owner.
This scenario opens the door to different standpoints, closely linked with data security, data protection, cloud computing, network, technological sovereignty and data sovereignty.
What is data sovereignty?
Since the introduction of GDPR other data protection legislation worldwide, organisations have become directly responsible for their own data and for any breach related to it. These regulations have given the data protection world the concept of data sovereignty, whose main goals are to:
- Ensure and maintain data ownership.
- Maintain the value of the data within country boundaries.
- Protect privacy, ensuring that data is used only in accordance with strictly defined rules.
The main goal of the data sovereignty model is to prevent critical or sensitive data from accidentally or intentionally falling into the hands of an external or foreign entity without explicit consent, violating national laws and regulations. This introduces technical and legal challenges when moving workload and data to the cloud.
How can we apply the data sovereignty model on our cloud transformation journey?
How data sovereignty impacts the journey to cloud
It is easy to see the impact of data sovereignty on the cloud journey just by thinking about cloud storage procedures. Firstly, data residency laws may require data to be stored in particular countries. This may restrict the locations where data may be processed and stored, influencing the cloud’s functionality, disaster recovery and business continuity measures. Secondly, access to and sharing of data may be impacted by data sovereignty. Local regulations may also mandate specific security measures to protect data, potentially impacting the functionality, administration and operation of business applications in multiple ways.
As we know, attackers have a cupboard full of colourful hats to wear and the importance of data is transforming it into a new currency and the importance of data is transforming it into a new currency. This has led more than 100 countries to introduce data sovereignty measures in some form, by changing their existing laws or by introducing new legislation, forcing organisations to store citizens’ data in specific countries.
GDPR is the EU’s first foray into data sovereignty. It applies to the processing of EU residents’ personal data, regardless of where the data processing takes place.
The CLOUD Act, which entered USA’s legislations in March 2018, does the same but also obliges US-based cloud providers such as Google, Microsoft and Amazon to give US law enforcement access to users’ data, even if it is stored in foreign countries, overlapping (or conflicting) with local data protection regulations.
Despite the weakness technological measures and the confusion of overlapping regulations, it is still possible to map out a graceful cloud journey, by adopting a structured data protection model.
A graceful cloud journey should start by considering specifics steps detailed below.
Building a graceful cloud journey
Bip CyberSec can evaluate cloud maturity using a tailored approach with an initiative prioritization helping the customer to DARE, bringing a multidisciplinary approach, and providing a vendor agnostic standpoint to embrace the cloud journey confidently.
We can support customers in implementing data protection solutions, relying on deep experience with the most recent leading, challenging and best of breed technologies in data security.
Outcomes and Benefits:
- Encryption solutions suited to customer needs.
- Design of use cases to-be implemented in the technical solution (Transparent Data Encryption, Database Encryption, File System Encryption, Tokenisation, Data Masking and more).
- Design of test environment based on Thales KMS to support proof-of-concept execution.
- Definition of success criteria for PoC evaluation,
- Management of PoC setup and execution, focusing on rekey/key rotation functionality, latency verification and integration with existing platforms such as PAM and SIEM.
- Operational guidelines and processes to use selected solutions in the production environment.
With our aid, your organisation can define a customized cloud strategy and upgrade your cybersecurity framework to address the challenges of multi/hybrid cloud environments. Having worked with you to define the strategy and business goals, Bip will help to release the cloud security guidelines to “hardening” translate the high-level requirements into technological steps, procedure and configuration to secure your cloud environments.
Outcomes and Benefits: Definition of Tailored Standard approach to customer cloud security challenges.
- Enable and guide the cloud foundation.
- Definition of a cloud security framework and guidelines based on the Bip framework, which leverages leading security standards and cloud vendors’ best practices, tailored to local regulatory, environmental and business requirements..
- High-level analysis of the context, based on the collected documentation and through meetings and workshops to establish an effective framework of controls applicable to the client context.
- Analysis of existing security policies and frameworks to identify security principles and security technical controls to be added or changed according to Bip methodology.
See our offering here and contact us to talk with our cybersecurity and data sovereignty experts.