Overcoming the challenges of data sovereignty in the age of the cloud

As the global business landscape becomes ever more interconnected and reliant on data, the issues surrounding regulatory compliance and security are becoming more complex. A business based in the EU, for example, might only serve customers in Europe, but chances are they rely on services delivered by data centers in the US. In fact, 92% of all data generated in the western world is stored on servers located in the US.

Data sovereignty holds that data should be subject to the laws and governance structures of the nation where it is collected. For example, even though Microsoft Teams typically stores all data in the same region as your Microsoft 365 subscription, data residency for new tenants is only available in 13 countries. As such, if your business operates outside those countries, then it theoretically falls under another jurisdiction. A similar concept applies on an enterprise level too, whereby the enterprise should have control and ownership over its proprietary data, rather than a third-party technology provider.

With legislation like Europe’s GDPR and California’s CCPA setting the bar for data privacy, it is more important than ever for organizations to know exactly where their data is stored and shared. If they lack such a degree of visibility, then they may be unable to comply with subject access requests or right to erasure requests. Furthermore, the lack of control and ownership over data stored in foreign jurisdictions can substantially increase third-party risk, simply because data protection standards and interests can vary widely from one region to the next.

In the case of GDPR, data pertaining to citizens of the EU can only be transferred outside the bloc on the basis of an adequacy decision or when appropriate safeguards have been taken. The EU currently has agreements with 13 countries in the case of the former, while appropriate safeguards in other cases are defined under Article 46 of the law.

In reality, most organizations have to share sensitive information outside the jurisdiction where they are primarily operating. Although legislation in the EU is being reworked to give the bloc greater control over their digital destiny, the need for third-party services – many of which are delivered by vendors abroad – will likely only continue to grow. Because of this, organizations must seek a compromise by which they can comply with data sovereignty regulations and also achieve global scale and flexibility.

Article 46 of GDPR legislation lists a number of safeguards that organizations need to take if they are to transfer potentially sensitive data to jurisdictions outside the bloc. One of the most effective and proven safeguards is encryption. By encrypting sensitive data and hosting your encryption keys on your own local infrastructure, you can ensure that data stays protected no matter where it physically lives. With full encryption, you can protect data across its whole lifecycle from the moment it is first collected to the point when it is deleted. To achieve the highest possible levels of security and compliance, data should be encrypted at the object level, rather than just at the application, service, or device level.

It might be tempting to dismiss the need for object-level encryption as unnecessary. After all, popular business apps like Microsoft Teams already offer best-in-class security measures, including end-to-end encryption. However, since Microsoft is a US company, and is therefore subject to US laws, organizations based in other countries have no true data sovereignty when it comes to their use of Teams and other Microsoft solutions.

The fact that Microsoft offers data residency in other regions can only help to a degree, not least because data residency is not the same thing as data sovereignty. Since the company is based in the US, they can also be compelled to release information belonging to their clients by way of a subpoena from a state or federal authority. Furthermore, legislation also allows the US authorities, in certain circumstances, to gain access to data stored by US companies regardless of where the data physically resides.

While Microsoft is just one example of a major technology vendor, the same applies across the board. The fact that such receive, and must comply with, such requests renders their own protective capabilities somewhat moot.

The zero trust paradigm holds that no attempt to access data should be implicitly trusted. This contrasts to the castle-and-moat security principle, in which every individual and system within the perimeter already has access. Today, that principle is thoroughly outdated given that most, if not all, enterprise computing assets are now hosted in third-party systems that live outside the perimeter. For example, all Teams data is ultimately under the control of Microsoft and its US jurisdiction.

While most technology vendors operate under a shared responsibility model, data sovereignty can only become a reality when you have complete control over your data. Third party security measures taken by your vendors are undoubtedly worth having, but they will not protect you from things like subpoenas and data leaks or breaches targeting the third party. For example, if a third-party vendor suffers a major security incident, your business could be among many adversely affected. If such an incident constitutes a breach of compliance with any regulations, then your organization could be held partly responsible.

Zero trust security provides a way to manage and practically eliminate that risk. If your data is already encrypted by your own systems before being transmitted across a third-party channel, then it will be immune from such a data breach, subpoena, or any other unauthorized attempt to access it. Your data might still physically reside in another jurisdiction over which you have no control, but if it has been encrypted on your end, then it goes above and beyond the demands of regulations like GDPR and CCPA.