Preparing organizations for a sovereign digital future
At a Glance
In a world where most data is processed and stored across geographical borders, often using foreign technologies, many governments are raising valid concerns around data, technological and digital sovereignty. In this article Zeina Zakhour and Vasco Gomes seek to untangle the different aspects of sovereignty and explain why understanding these is increasingly central to organizations’ long-term decision making.
5 Minute Read
In a world where most data is processed and stored across geographical borders, often using foreign technologies, many governments are raising valid concerns around data, technological and digital sovereignty.
Before tackling this issue further it is crucial to agree on the definition of sovereignty. Data sovereignty refers to the degree of control an individual, organization or government has over the data they produce and work with (whether local or online). In contrast, technological sovereignty is the degree of the control the organization has over the technology it uses.
Data sovereignty and technological sovereignty are the two pillars of digital sovereignty, which can be defined as the degree of control an organization has over its entire digital environment, including data, applications, software, systems, and hardware. Which is aligned to the World Economic Forum definition of “the ability to have control over your own digital destiny – the data,
hardware and software that you rely on and create.”
Taking a closer look
A closer examination reveals that cybersecurity is at the heart of data sovereignty and helps enhance technological sovereignty.
It is important that organizations understand that digital sovereignty is not an “all or nothing” proposition. Digital sovereignty exists in varying degrees on a scale which is constantly in flux.
Governments and organizations advocating for digital sovereignty need to adopt a risk-based approach. They must carefully assess their level of control over data and technology and take great care to ensure that sovereignty does not come at the cost of agility — a key factor to thriving in the Digital Age.
As many organizations make the massive move to the public cloud and embrace mobile/remote working (which has greatly accelerated during the COVID-19 crisis), they must measure the risks to their digital sovereignty. When they delegate technological choices data hosting and data processing to a provider, they put themselves at the mercy of that provider and its respective regulatory authority.
As a result, a hybrid cloud approach is gaining significant traction. Hybrid cloud leverages several different cloud solutions in parallel: from the least trusted to the most trusted, or even a disconnected, on-premises deployment. Data can be processed and hosted in different environments, depending on its business sensitivity.
This modular approach helps organizations leverage the potential of large providers to enhance the competitiveness of their less sensitive business processes. At the same time, they can protect their most sensitive business processes by keeping them under their own control or the control of more trusted providers.
Most importantly, organizations should not overlook the fact that digital sovereignty can become a competitive advantage by putting data sovereignty — and consequently, trust and transparency — at the core of their digital transformation.
Digital sovereignty is a growing concern in our increasingly digitalized world. Yet, policy makers, governments and enterprises must master the art of balancing digital agility with digital sovereignty, as this will be key to competitiveness.
Maximizing data sovereignty
Atos defines data sovereignty as the degree of control an individual, organization, or government has over the data it produces and works with. Accepting this definition leads to a big question: “How can an organization find the right degree of control?” Let’s tackle it in four steps.
1 What is control?
Data has become the main support of our digital economy. For most companies, the digital strategy relies on a few critical pillars:
- Their data
- The way data are processed (algorithms, apps, compute)
- Who can access data and run operations and reports on them
If you don’t have a clear view of these pillars, you don’t have a clear picture of your business — which means you will soon be out of business. It’s that simple.
You must ensure that access rights and identities are compliant with your digital strategy and based on the sensitivity of your data. That’s the definition of control. Controlling your data is to specify and enforce who can do what with them at any point in time.
2 How can you increase control?
To control who can do what with your data, you have to start with identity and access management (IAM) and extend it beyond your employees to all kinds of IT, OT and IoT objects. However, IAM and encryption are often entangled in layers of applications, infrastructures and networks to run business applications and facilitate user experience. There is no such thing as perfect cybersecurity controls, so you must constantly monitor them for compliance and incidents and be able to respond and recover from them in a timely manner.
3 How much should you increase it?
Strengthening a security control can come at the expense of agility. So, for every security control, you should find the proper balance between excess and restraint. The best way to find that sweet spot is at the core of cybersecurity:
What kind of risk am I addressing and in which form could it happen? You won’t apply the same level of control to mitigate an espionage risk, external influence, usage/operation prevention, or data loss, whether accidental or malicious.
4 Is all data born equal?
Protecting all assets the same way often results in protecting none of them correctly. Indeed, security controls tend to be attracted by the weakest link. Data classification is a huge program that should never be underestimated. But, to give you a sense of scale, we have observed through many projects that, in average 80% of customers’ data are not sensitive, and that the remaining 20% can further be split into 80% “just sensitive” and 20% highly sensitive. It is not unusual that the split is close to that double 80/20 rule: 80% non-sensitive, 16% sensitive and 4% highly sensitive (maybe even classified).
Digital Vision: Cybersecurity 3 – Further Insights
From across Atos and beyond, find out more about cybersecurity challenges and how organizations can respond to cyber threats