According to the world economic forum, digital sovereignty refers “to the ability to have control over your own digital destiny – the data, hardware and software that you rely on and create”. As data continues to grow exponentially and modern organizations rely more and more on digital platforms, there is a growing need for digital sovereignty across nations.
But why is sovereignty a challenge?
Today the World Economic Forum estimates that over 92% of all data in the western word is stored on servers owned by US-based companies. The anxiety over the control and privacy of this data by European governments was a major factor in the introduction of the General Data Protection Regulation (GDPR).
However, it wasn’t until the invalidation of the EU-US Privacy Shield in 2020 by the Schrems II ruling by the Court of Justice of the European Union, that Digital Sovereignty became an urgent topic of discussion at major enterprises as well as within the public sector.
The EU-US Privacy Shield worked as an overall legal protection umbrella under which global enterprises were safe to work and transfer data between the European Union and the United States. It is estimated that over 5,000 organizations, their subsidiaries, and their suppliers were affected by the ruling threatening a portion of the $1.3 Trillion in yearly transatlantic trade.
The EU-US legal digital sovereignty challenge is the most visible example, but it is by no means the only point of contention. Around the world, even between EU member states, digital sovereignty is becoming more important.
What is the impact of digital sovereignty?
Digital sovereignty has raised questions for CIOs considering their cloud strategy, governance, and risk management.
The challenge is not only where the sensitive data resides geographically, but also who has access to sensitive data inside an organization. For example, according to the recent Schrems II decision, if an employee based in the United States accesses sensitive EU protected data inside his own organization, this could be considered an “export” of sensitive data and an infraction of the GDPR rules.
Consequently, organizations need to identify and adopt necessary supplementary measures to bring the protection of the data transferred between sovereign jurisdictions to the level required by local legislation. But in the cloud, this is easier said than done.
Organizations rely on a myriad of cloud services. According to the new 2022 Data Threat Report, produced by 451 Research for Thales, 34% of global organizations are using at least 50 SaaS applications and 17% use 100 or more SaaS applications. Sensitive data flows through most of these platforms, creating an environment that half of the respondents said made it more complex to manage privacy and data protection regulations in the cloud than on-premises.
Data, software, and operational sovereignty
When thinking about a successful cloud strategy, Thales sees three major pillars that support digital sovereignty objectives: data sovereignty, operational sovereignty, and software sovereignty.
- Data sovereignty means maintaining control over encryption and access to your data. This ensures sensitive data doesn’t fall into the hands of a foreign entity without express permission resulting in non-compliance with regulations.
- Operational sovereignty means giving an organization visibility and control over provider operations. This ensures bad actors or malicious processes cannot access, or prevent you from accessing, your valuable data, such as in the case of privileged user access or a ransomware attack.
- Software sovereignty means running workloads without dependence on a provider’s software. This gives organizations the freedom to store and run workloads wherever desired to maximize performance, flexibility, and overall resilience.
Why are these three pillars important? Organizations that take charge of their digital sovereignty will find it easier to migrate sensitive workloads to cloud.
Automated risk assessment and centralized protection
In our latest eBook Achieve Digital Sovereignty with Thales, we describe how Thales can help organizations achieve data, software and operational sovereignty with automated risk assessment and the centralized protection and control of sensitive data across cloud and on-premises systems.