Digital sovereignty has emerged as topic of significant interest by both businesses and governments. According to the 2024 Thales Data Threat Report, it ranks among the top three emerging security concerns. This is especially true in the European Union which is seeking to establish better controls of its citizens data that is collected, analyzed, and shared by technology companies based in either the U.S. or China. And, it is these new EU regulations that are forcing U.S. companies to address the challenges of digital sovereignty while ensuring it does not impact their digital strategies.
Over the past few months, Thales spoke with over a dozen global business executives from our Data Security Directions Council, to discuss digital sovereignty and understand who owns your data and whether you can control it. Among these executives were:
We hope the conversations we have captured in our 2024 Data Security Directions Council Report will equip you with the knowledge to navigate the intricate world of data sovereignty, transforming it from a risk to an opportunity.
Is your data truly yours? This seemingly simple question carries weighty implications in today's hyper-connected world where information flows like electrons, and technologies like AI and 5G promise to explode data volume and velocity. The answer, however, is far from binary and is closely related to the complex and sometimes contentious world of data sovereignty.
In an era where data is seen by many as more valuable than gold or oil reserves and digital innovation drives the wheels of global economies, the concept of sovereignty has emerged as a critical fulcrum in the balance of power, control, and ethical governance.
Data sovereignty is not just another buzzword for business executives. Data sovereignty is the cornerstone of digital autonomy in a world where privacy is top of mind, ensuring who can access and control data. It enforces data integrity and confidentiality through robust encryption and stringent access controls.
It's a strategic imperative, a regulatory tightrope walk, and a potential competitive edge. It's about ensuring control over your most valuable asset – information. But navigating this landscape can be challenging. Governments clash with corporations, privacy concerns tangle with economic opportunities, and technological advancements rewrite the rules daily.
Let’s dive into some of the report highlights.
Business leaders across the public and private sectors are grappling with the multifaceted challenges of data sovereignty as they navigate complex regulatory landscapes and manage data across multiple cloud environments. The extraterritorial application and the complex web of national regulations add complexity to an already difficult-to-comprehend environment.
Despite the legal challenges in interpreting these laws, Agnieszka Bruyere at Oracle expresses concern that “these legal complexities often overshadow crucial topics like cyber resilience in cloud discussions”. Integrating legal compliance with cyber resilience strategies presents a significant challenge for businesses. On one hand, they must adhere to diverse and sometimes conflicting legal requirements regarding data storage and processing. While on the other, they need to ensure that these compliance measures do not compromise their cyber resilience strategies.
Adding to the challenges is the tension between technical feasibility and practical usability in implementing data sovereignty, highlighting the need for solutions that are technically sound yet user-friendly. "The biggest challenge is how to implement data sovereignty in a way that is technically feasible and usable," says Dr. Avesta Hojjati at DigiCert.
However, it isn’t only businesses that face challenges. Cloud service providers also face the challenge of guiding customers, especially those new to this realm, to understand and achieve data sovereignty within the cloud. Brian Roddy of Google places a strong emphasis on adaptability and engagement in addressing data sovereignty concerns. He characterizes data sovereignty as a “moving target,” necessitating a flexible and evolving approach attuned to the varying global regulations.
In this complex and ever-evolving world of data protection, encryption plays a multifaceted role in ensuring data sovereignty. “Data sovereignty is a crucial aspect of data protection, and encryption is a key component in ensuring compliance with data privacy requirements,” says Mark Hughes at IBM Consulting.
However, the path to effective encryption is not without challenges. Encryption is only as good as its key management controls allow. The control of the users, entities, and applications that can access and use encrypted data will make or break the sovereignty program. Agnieszka Bruyere underlines the importance of “a balanced approach to encryption, considering potential failure points and operational resilience.” To achieve this balanced approach, a “one-size-fits-all” solution rarely works in encryption.
As data sovereignty requires a multifaceted encryption strategy that protects data across all stages of its lifecycle, the focus is shifting from the physical location of data to the control over encryption keys. "It doesn't matter where your data is. What matters is who controls the keys," underscores Brian Roddy.
For this reason, it is essential to opt for the appropriate key management approach. The discourse surrounding key management strategies in the context of data sensitivity is increasingly becoming a focal point for organizations striving to balance data sovereignty and security. This debate encompasses a spectrum of strategies. However, Dr. Avesta Hojjati underscores the importance of adaptability in choosing the optimal key management approach. He stresses that “any chosen solution must be flexible enough to accommodate upcoming changes due to evolving data sovereignty requirements.”
The experts have also discussed the impact technologies such as quantum computing, 5G, and Generative AI have on complying with data sovereignty requirements. For example, Dr. Hojjati states that “we need to start thinking about post-quantum cryptography today,” as part of a proactive defense against the increased threat of “harvest now, decrypt later” attacks on data sovereignty.
Regarding 5G, Mark Hughes flags further concerns: “Network operators need to be more intrusive to maximize the use of available bandwidth, potentially leading to more data collection about the devices themselves.” Agnieszka Bruyere raises similar concerns about GenAI asking, “Who is responsible for ensuring the data is used ethically and legally?”
The interviewed experts also shared insights regarding the potential of internet fragmentation, a shift of warfare toward data instead of land, and the future of data transfers. So, to conclude, we leave you with Brian Roddy’s intriguing question: "Can I keep all my data in-country to keep it sovereign, or am I going to be completely disrupted by my competitive nation because they have better access to AI technology?"
To read more of this discussion, download the Thales 2024 Data Security Directions Council report. Also stay tuned for Season 4, Episode 7 of our Thales Security Sessions podcast, as report contributor Agnieszka Bruyere joins me to discuss some of the key points raised. Hear a preview below!