One of the big ironies about data on the internet is that once the goal of achieving a centreless web of data communication (the internet itself) had been developed and built out, the next area of focus became how to draw borders around it. It’s one thing to be able to send information instantly across the globe, but that runs the risk of it coming to rest in, or simply traveling through, places we don’t want it to. This brings us to the era of digital sovereignty, in which an increasing number of countries are adopting laws and regulations designed to protect the data privacy by defining how it can be securely collected, stored, and used.
Countries, companies, and individuals have their own reasons why data deserves sovereignty and protection. GDPR and the Health Insurance Portability and Accountability Act (HIPAA) are just two very public representations of data protection, and we are seeing increased policy discussions around access to data in social media applications like Tik Tok.
But digital sovereignty is not a single cut-and-dried concept. There are other elements to consider, such as transparency. Organizations must be compelled to demonstrate what they are doing to help protect people’s data. This can be done through compliance and regulations, but it can also simply be a part of an organization’s culture, showing its customers that it cares about what is happening with the data and providing the necessary visibility. Without transparency, there is no true security around data protection. As the expression goes, “trust but verify.”
The Encryption Challenge
Data users are becoming more sophisticated in their understanding of data privacy and consider it to be a basic human right. They demand and expect action from governments, enterprises, cloud providers, and companies. They have become more aware not only of their data as being a personal possession worth protecting, but also that it is increasingly vulnerable to breaches. With ransomware, hacks, and data exfiltration events happening daily, the theft of personally identifiable information (PII) and corporate data is becoming the norm. But such frequency does not make it acceptable. This means that data sovereignty must extend to individual files and not simply the places where those files exist.
The ability to encrypt data gives sovereignty to data as it passes along the nodes and channels of networks and of the internet itself, so long as it remains encrypted during its passage through other countries and is decrypted in a cryptographically isolated environment at its intended destination.
The problem with encryption, though, is that it requires human cooperation. On an individual human level, maintaining proper cyber hygiene through improved password management is still a hurdle. It’s no surprise or secret that the most used passwords in the world are still things like 123456 or, for IT admins themselves, admin. On an enterprise level, proactive encryption requires effort, even when the technology exists to make it possible. So, are people willing to undertake such measures, even if compelled by legislation? In years past, cloud service providers would tell the consumer or corporate customer, “it's your job to protect your information and to put controls like encryption in place.” But this is now changing, and it must continue to evolve. It must shift from a manual “opt-in” mentality to a new default, in which security and encryption exists right out of the box, and sidesteps end users’ unwillingness to manually activate the controls.
The Rise of AI
Digital sovereignty must also deal with the exponential proliferation of artificial intelligence (AI) in basically every aspect of business and life. Consider, for example, the data used to train an AI application. The integrity of this data is vital to the success of the training process to avoid accidental spillage of the data out into the public internet. Later, when AI is being used to answer a question or write code or prose, will it be smart enough to realize what facts it can use and what it cannot, based on the sources of its own learning? There is still work to be done to make sure that the AI engine doesn't give away something it wasn't supposed to. This is just one of the areas in which AI presents significant challenges to the integrity of current digital sovereignty efforts. Many others exist, and even more have not yet even been contemplated.
Work with your CSP
Overall, the cloud remains a safer and more efficient means of data storage and transfer than on-prem, providing a higher security guarantee with more reasonable workloads for security teams. This is a mindset with which C-level executives must become more familiar. Many CISOs and CIOs still do not have visibility on where their data is and where it is going. It’s vital to not just think about it at rest but also to think about it in motion. They should be able to question their ongoing attachment to private on-prem deployments and ask themselves some highly targeted questions such as, “do we encrypt data at rest? Are we making full use of multifactor authentication, tokenization, and encryption? Is the right data being protected, especially the crown jewels? “If the goal for an organization truly is to provide security, privacy, and compliance as parts of its digital sovereignty strategy, then the cloud should become a much higher priority.
This likely means connecting with a credible and proven cloud services provider whose responsibility has always been to offer reliable, up-to-date security of the data it carries.
This blog is a digest of a podcast conversation: Season 3 Episode 1 of the Thales Security Sessions Podcast, where I talk with Nellie Porter, head of product, Google Cloud Confidential Computing, and Todd Moore, Vice President of encryption products at Thales. If you would like to hear more about these crucial aspects of digital sovereignty and how your organization can ensure it is able to truly secure your data and that of your customers as it travels over the internet,check out the podcast episode here or on your podcast app of choice.