Data sovereignty has become the new buzzword in managing the digital economy, globalization and geopolitical influence.
But, as states begin to wrangle over big tech power and control, do we really understand what data sovereignty means and how it translates to the enterprise?
Data sovereignty for the enterprise
Historically, the sovereignty adjective was used in relation with states and political power. When using it for enterprise data, it becomes trickier to define and understand, particularly in our new globalized economy.
There is still no standardized or clear definition,particularlyforanenterprise. The most accurate description is the degree of control an individual, organization or government has over the data they generate and work with. For this reason, data sovereignty is non- binary. It exists on a scale and that scale is constantly in flux. It is also inextricably linked with security and requires a technological response.
Macro influencing micro
We can see data sovereignty issues at play on a macro level with some governments sanctioning the use of certain technology providers due to concerns for national security, including fear of sensitive or classified data leakage. When there is a risk of commercial warfare and state espionage, then the provenance of the solutions used for protecting data becomes a critical question. If you cannot trust the microprocessors processing your data in your hardware because they are made elsewhere, you can see that the issue of sovereignty and security becomes extremely tricky. And when the functioning of critical sectors, from a hospital to a gas pipeline, depends on resilience of its digital infrastructure or access to data, technological choices become strategic. However, there is no single organization across the globe who has that capability to build and produce all aspects of their supply chain. So where do we go from here?
Whatever the future holds, identities and encryption are key
Different technological domains provide different levers to influence the degree of control an organization has over data, whether it is data the organization generated or acquired or is entitled to use. As data gains value through its usage, how it is stored and computed are critical, but cannot be the only levers to consider.
Organizations who want to maximize their data sovereignty will also need to pay particular attention to the control of data access and data usage.
For those objectives, while identities and encryption are obviously not the only controls to consider, they are paramount, universal and, we believe, whatever the future evolution of technologies, they will always remain of utmost importance to address cybersecurity and sovereignty challenges.
The solutions are not straight-forward in the OT environment – technology systems such as patch management, antivirus and updating operating systems are all irrelevant so bespoke solutions are often necessary. That is why Atos has invested in specialized tools and products for securing complex environments and ongoing threat detection and management to be able to address such specific challenges. However, nothing can be done without the proper risk management strategy at its core. It is therefore crucial for organizations to put a strategy in place. This should cover all relevant areas such as policies, procedures, and processes, including any incident response plans that need to be in place and training people in the management and detection of risks. The work is in progress, but it needs to go faster.
Managing what we don’t know
The issue boils down to the question: what don’t we know? The key is in ensuring an ongoing process of data classification and risk mitigation. Digital security, and therefore data sovereignty, must be driven by constant risk assessment: probability and impact; benefit for the business; list of mitigation actions with percentages. Decisions based on these assessments must be taken with all the information you can gather at the highest levels of any organization. The board can decide whether it wants to maintain, mitigate, share or avoid the security risk associated with any new technology or service.
I believe data sovereignty is a conversation about value versus risk: where is the position with the maximum value for the minimum risk? It is a decision we make constantly at all levels of society today: individuals, enterprises and governments. In some cases, for some technologies, there should be a clear no-go because those are critical assets for the enterprises.
It is the right conversation for our time, allowing us to focus on value while always nderstanding and minimizing risk. In this way, we can all progress within our new globalized economy.
This is not about turning our backs on partners. It’s about having the courage to say that we don’t want non-European law to apply to these services.
Guillaume Poupard
Director of the French Cybersecurity Agency
on French proposal to prevent critical data from being
accessed to by U.S authorities