Your guide to assessing and building digital sovereignty
Across entities and companies, there are many different views on the topic of digital sovereignty. Digital sovereignty is generally expressed as a need that is applied to a subset of the information assets that they possess. Depending on the risks, stakes or even current events, this need for digital sovereignty may evolve. It obviously differs for state agencies, hospitals, financial groups, the defense industry or retailers.
Key players in this ecosystem may be tempted to adopt a posture of withdrawal or retreat to protect their data, but the consequences can be catastrophic. Some of the drawbacks of a retreat are that enterprises simultaneously cut themselves off from business development opportunities, the ability to share data within their ecosystems, and from accelerating innovation.
However, we believe that the concept of digital sovereignty is not exclusive to that of digital transformation, and cybersecurity has a major role to play in this project. Let’s examine how to create a robust, watertight sovereignty strategy aligned with organizational needs.
Step 1: Assessing basic needs and security
To avoid adopting an overly dogmatic initial posture, (which would inevitably lead to retreat), the starting point of any digital sovereignty strategy should be an initial assessment of enterprise needs.
This evaluation must be carried out on homogeneous subsets of the company’s information assets, which may include the following:
- Data repositories
- Applications or sets of application
- Full information systems
The assessment should be based on two criteria, complemented by a regulatory inventory. This evaluation is inherently simple, because the first objective is to define the trend and trajectory of data protection that will be used to build a technical sovereignty roadmap. Let’s take a look at the criteria:
- Availability: This criterion quantifies how essential the data and its availability for processing are to the Company. This criterion is evaluated and categorized as follows:
|D1||The data can be destroyed without harm to the Company.|
|D2||Data can be unavailable for a relatively long period of time without harming the Company.|
|D3||The unavailability of data has important consequences for the company.|
|D4||Data availability is critical. Any unavailability puts the company at risk.|
- Confidentiality: This criterion allows us to judge the sensitivity of the data and the level of risk if the information transmitted to or accessed by third parties. It also consists of four levels:
|C1||The data is public.|
|C2||The data concerns the Company or a part of the Company. Its dissemination or access by a third party does not constitute a major threat to the Company.|
|C3||The data is sensitive and uncontrolled release has important consequences for the Company.|
|C4||Dissemination of the data compromises the integrity of the Company and/or its representatives.|
A careful observation of these needs makes it possible to delimit the area of digital sovereignty for the subset of the information assets being considered. This area can be represented graphically as shown below and labeled accordingly. For example, a score of (3,3) denotes a sovereignty need of Level 3 availability and Level 3 confidentiality.
Figure 1: Example of the sovereignty need for a customer relationship process
The regulatory aspect completes this security needs assessment by setting out the required authorizations and prohibitions. It is essential to list them exhaustively and to assess each one in detail.
Step 2: Building the appropriate sovereign response
After the needs assessment, the next step is to build a response by integrating different cybersecurity capabilities. Each of them helps strengthen control over data to progressively achieve the objectives of availability and/or confidentiality. This integration constitutes the path to sovereignty.
An example of a list of cyber capabilities is shown in the following table. This list can be enhanced by other specific technical, contractual or organizational solutions, each of which should be the subject of a positive impact estimate on the confidentiality and availability criteria.
|Confidentiality impact||Availability impact|
|High availability infrastructures||+1 to +1.5|
|Cloud hosting||+0.5 to +1|
|Local operations of platforms||+0.5|
|Strong management of interfaces with the Internet||+0.5|
|Dedicated identity and access management||+0.5|
|Standard Encryption Key Management (BYOK)||+0.25|
|Data encryption (at rest – filesystem/database)||+0.5|
|Anonymization / Masking / Tokenization||+0.5|
|Marking and steganography||+0.5|
|Privileged account management||+0.5|
|Hardening of technical foundations||+0.5|
The strategy is built by integrating the different sovereignty capabilities from a starting point (1,1).
Continuing our previous example, we may build a strategy based on a classic IaaS cloud hosting (A) with outsourced backups (B) and operated by local resources (C), data encryption (D) accompanied by strict identity management (E) and the use of MFA-type access control (F). Theoretically, this path allows a score of (3,3) which corresponds to the sovereignty needs previously defined.
There are many other combinations of capabilities to achieve the target score, and each must be balanced against the inherent constraints of the data and processing under consideration, as well as the business purpose. This is the job of cybersecurity architecture teams, who are responsible for evaluating the most effective and consistent combination of measures for each data set.
This approach does not replace earlier ones used to urbanize the cybersecurity of an IS or define a global cybersecurity roadmap. Our approach allows us to propose solutions that consider structuring business hypotheses such as a cloud first corporate strategy. In such situations, this method enables us to answer the question, “What additional cyber capabilities do I need to implement to achieve my sovereignty objective?”
Limitations and perspectives
An entity’s inventory of applicable regulations should constrain or reinforce the choice of cyber capabilities outlined in the previous section. For example, some regulations will require data processing or storage in warehouses that are completely disconnected from the Internet such as no-cloud hosting and interface filtering requirements. On the other hand, it may make it impossible for foreign nationals to access data, due to even stricter and dedicated identity management.
Finally, it is important to remember that the implementation of a digital sovereignty strategy only protects information systems against a limited and targeted number of cyber and economic risks. All the measures developed and presented must complement the basic measures required to protect information assets (based on an additional risk analysis).
We believe that the current debates around digital sovereignty are an opportunity for the world of cybersecurity to prove that technologies and know-how can be used to avoid a retreat posture and facilitate a digital transformation. This is an opportunity once again to help move the enterprise forward while controlling any risks linked to these new exposures.
About the author
Senior Cybersecurity Manager and Consultant, Atos
Jean-Baptiste Voron has been working for ten years with the Chief Information Security Officers of major French groups on new cybersecurity issues.
With Atos since 2012 as an expert consultant in IT security governance and strategy, he is now responsible for the portfolio of cybersecurity offerings in France and leads the team in charge of cybersecurity pre-sales covering a range of more than fifty technologies and partners.
He frequently works with Atos’ strategic clients internationally in the design and deployment of cybersecurity solutions. Jean-Baptiste holds a PhD in IT security (joint US/French thesis) and a master’s degree in complex systems and applications from Pierre & Marie Curie University.