Data Sovereignty in a Cloud-Driven World is not a Given

Data sovereignty refers to the principle that digital information can remain subject to the laws and governance structures of the country where it is collected or stored. But this, like most things related to the cloud, is more complicated than it first appears. When organizations use cloud services, it is almost a given that when organizations use cloud services, the data will fly over borders, being bounced around through many data centers in multiple jurisdictions. This makes it challenging for organizations to know exactly where their data resides, even when the law requires that they do.

For example, a company headquartered in Germany may have to use cloud providers that have data centers in the United States. Despite the rigors of GDPR, this data might be subject to U.S. laws such as the Cloud Act, which could allow authorities to access it under certain conditions. This is not a welcome idea, especially when the data in question is sensitive, such as health records, financial information, or intellectual property. Regulatory frameworks like GDPR impose hefty fines for non-compliance, while public backlash over mishandled data can erode customer trust.

This means companies and organizations must seek out and ensure complete transparency with their cloud providers. They must insist on explicit agreements on where data will be stored and under what conditions it might be moved. Solutions such as cloud platforms specifically designed to comply with local regulations offer some respite, but overall, the complexity of global data governance makes achieving full data sovereignty a constant battle.

Cyber Resilience Means Preparing for the Inevitable

Cyberattacks are also a given. No organization can afford to live in denial of thinking they are too small, too well protected, or that the fact they were hit last year means they have immunity from future attacks. Cyber resilience means being able to prepare for, withstand, and recover from cyber incidents, ensuring that critical operations and data remain intact, and this is a condition that remains permanently urgent. A recent report from IBM entitled The Cost of a Data Breach (2024) shows that the global average cost of a data breach is now $4.45 million. That’s an average, meaning the odds are good it will be much higher.

Building cyber resilience requires a multi-layered approach, including:

• Risk Assessments to regularly evaluate vulnerabilities such as endpoints, networks, and cloud environments.
• Incident Response Plans to ensure swift containment and recovery. This should include close collaboration with an insurance company and a breach coach.
• Continuous Monitoring, using tools such as threat intelligence platforms and security information and event management (SIEM) systems to detect anomalies in real-time.
• Employee Training to educate staff of all levels on how to recognize phishing, social engineering, and related activities and how to adhere to secure practices such as cyber hygiene.

The key point about cyber resilience is that it is not about eliminating risk but instead about ensuring that an organization can weather the storm and emerge stronger. This is not only to survive physically but also to ensure the trust of stakeholders, which is invaluable in the face of crises.

Cloud Data Security Needs Encryption Keys

As a basic definition, encryption means converting data into unreadable code, making it useless if stolen. However, managing the encryption keys themselves can be hideously complicated, and mismanaged keys can lead to catastrophic consequences, including data loss or unauthorized access. This, too, should be a given.

This requires a robust key management strategy, including:

• Hold Your Own Key (HYOK) Ownership, which means that every time an operation is performed on an organization’s data in the cloud, the organization must provide authorization for access.
• Hardware Security Modules (HSMs), which provide a secure environment for generating, storing, and managing encryption keys.
• A Zero-Trust approach to encryption key management to ensure that no entity is implicitly trusted.
• Multi-Factor Authentication, to enhance the security of key access by requiring multiple forms of verification.

So What?

All projects, including security projects, should always ask the Devil’s Advocate questions to fully understand why some activity should be undertaken. In the case of cloud security, this is an opportunity to look at these things that qualify as a given, specifically to ensure they receive the necessary attention and do not slip out of sight.

Cloud technology will continue to play a significant role in the lives of organizations everywhere. While putting together, deploying, and maintaining a strategy that addresses data sovereignty, cyber resilience, and encryption may seem daunting, inaction is far more costly. Beyond regulatory penalties and financial losses, organizations risk losing the trust of their customers, partners, and employees. In a competitive marketplace, trust is something that, once lost, cannot be easily regained.

If you want to hear from two well-recognized experts in the field of cloud security, check out the Thales Security Sessions podcast episode entitled, The Three Dimensions of Data Sovereignty, in which I, the host, talk with Agnieszka Bruyère, VP Cloud Growth & Public Sector,  Oracle EMEA, and Sebastien Cano, SVP, Cloud Protection & Licensing Business Line.