Multi-cloud7 min read

Sounding the Data SOS : Urgent Call for Data Security, Optimisation and Sovereignty

Data Security, Optimisation and Sovereignty

Guest article by Bill Mew, Global Cyber Ambassador for the International Association for Risk and Crisis Communication (IARCC.org)

Organisations everywhere are being buffeted by a myriad of regulations that require data compliance, a pandemic that prompted a rush to the cloud, a wave of cybercrime that necessitates enhanced security and geopolitical uncertainty that could impact data transfers. As organisations struggle to tackle the complexity associated with these challenges they need to focus on a strategic data architecture that ensures Data Security, Optimization and Sovereignty - the Data SOS.

9 Signs of Digital Distress

Recognised globally as the universal distress signal, SOS is transmitted in nine tones - three short, three long and three short. Here we set out a series of nine signs of distress in data management. The first six describe the pressures that organisations are under and the last three outline facets of the optimal solution - facets that go hand in hand and that you cannot afford to overlook.

1. Data Compliance

One of the greatest data management challenges in recent times has been securing and protecting data while ensuring compliance with a myriad of data regulations. There is a truism about cybersecurity and privacy that goes as follows: ‘you can have security without privacy, but you cannot have privacy without security’. In essence, a company can keep your data secure while still abusing your privacy rights, but if your personal data is not secure then this is by nature a privacy failure. You therefore need to consider privacy and security in unison.

You can have security without privacy, but you cannot have privacy without security

2. Digital Transformation

Simultaneously organisations have been embarking on digital transformation projects, often as part of a cloud migration or adoption plan. For some workloads this has been a ‘lift and shift’ process where existing processes have simply been digitised and moved to the cloud. The full benefits of cloud computing and digital transformation are only truly realised, however, when the opportunity is taken to redesign processes and reinvent the way that things are done to harness the flexibility and interoperability that cloud environments offer.

Many have seen cloud migration and digital transformation as a one-off project - one that for a large number was rushed in response to the pandemic with far too many workloads and data sets simply getting the ‘lift-and-shift’ treatment. The reality is that digital transformation is a perpetual project-based exercise that is never ending. Organisations need to sustain a flexible transformational approach to address the endless cycle of challenges and fresh regulatory demands.

All organisations, whether they realise it or not, are on a digital transformation path - the level of transformation may speed up or slow down at times, but the journey is never at an end.

Digital transformation isn’t just a one-off project; it is both universal and perpetual

3. Hybrid Complexity

In an ideal world, organisations would have a universally enforced data architecture that would make data management simple and easy. You would know exactly where and how different data sets are stored and be able to enforce different access rights and security protocols depending on the nature of the data - from confidential or intellectual property to personal information. For governments, this might also include secret or restricted data.

Unfortunately, the reality is that few organisations have a universal data architecture and almost all of them are struggling to deal with complex hybrid computing environments that span everything from public clouds and SaaS to private clouds and on-premise data centres with numerous additional individual devices, all of which store and process data.

Hybrid computing environments are a reality - learn to deal with them

4. Cost Effectiveness

Cloud was initially seen as an effective way of reducing compute and storage costs, especially the cost of maintaining legacy systems. With all business departments expected to ‘do more for less,’ cloud promised to enable significant savings for IT departments.

The reality is that managing cloud cost optimization is far from straightforward. Furthermore, with the cost of traditional hardware falling fast, the trade-offs between cloud computing and on-premises are becoming less clear. On top of this, even if IT budgets are flat (rather than falling), data volumes are continuing to rise exponentially, meaning that exponential increases in efficiency are required just to keep pace.

With IT budgets flat and data volumes growing exponentially, something has to give

5. Geopolitical Tension

We have seen geopolitical tensions increase as a result of trade wars and armed conflict. This has resulted in restrictions or outright bans on the sales of certain items as well as sanctions on listed entities. We are also seeing regulatory restrictions on data flows between different regions. Sanctions lists and trade restrictions can change rapidly and new data regulations are creating a patchwork of different local rules that can add enormous complexity. Unless your systems are able to adapt dynamically not only to the changes, but also to the local variations in the regulatory landscape, then your ability to operate internationally will be hampered.

If you cannot adapt and localise in real time, you’re already in trouble

6. Need to innovate

Typically, IT is the foundation for almost all innovation. It is therefore essential that organisations ensure that it is supposedly ‘future-proof’. The problem is that the ability of most organisations to adapt to change is not only hindered by existing legacy systems, but that poorly planned cloud migrations that fail to guard against lock-in could also result in current generation investment that will simply become tomorrow’s legacy platform. In order to be prepared to invest in future technologies like Artificial Intelligence (AI), portability and interoperability need to be paramount.

Without portability and interoperability, you are investing in tomorrow’s legacy systems

So, if these are the pressures that almost all organisations are under, what does the optimal solution look like?

7. Security

Not only do 88% of boards ( Gartner, Predicts 2023: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem) now regard cybersecurity as a business risk, but the frequency and sophistication of attacks are on the increase. Data security needs to be baked in from the ground up. Effective cybersecurity starts with risk assessment to understand the threats, vulnerabilities and risk appetite. Methodologies, like Zero Trust, then dictate how to manage everything from access controls and supply chain protection to staff training and cyber hygiene. However, even with rigorous protection and detection in place, you still need to have backups and incident response plans - and to test both regularly.

It’s not about how much you spend on cybersecurity, but how you spend it and how well prepared you are

8. Optimisation

Without a clear strategic data architecture that is well implemented, you won’t know what kind of data you have, how it is processed or where it is stored. This would make it impossible, for example, to apply higher levels of assurance and data sovereignty to your most confidential data, to respond to freedom of information (FOI) requests, or to comply with a client’s right to be forgotten under GDPR. In addition managing backups, enabling system integration or embarking on digital transformation all require effective data optimization.

If you don’t know what data you have or where it is, how can you possibly manage it effectively?

9. Sovereignty

Possibly the most frequently overlooked aspect, data sovereignty, is becoming increasingly essential in order to comply with the proliferation of different data regulations across different jurisdictions.

Every jurisdiction has a process to allow authorities to access data for the purposes of law enforcement and all organisations have an obligation to comply with local laws and regulations. GDPR and all similar data regulations include a derogation for local law enforcement and in many jurisdictions such data access requests are overseen by independent judicial supervision and include a process for appeals and redress.

As different trading blocs (like the EU), countries and even states (such as California) have implemented their own data regulations, this has created an increasingly complex patchwork array of differing compliance requirements. Many regulations also come with restrictions on data sharing and data sovereignty.

Significant issues arise when either one jurisdiction deems another to have inadequate protections and therefore limits or restricts data sharing, or when a country enacts extraterritorial provisions that extend beyond its own borders and conflict with local regulations elsewhere. In this regard there are several regions that the EU has deemed to fall below the standards required by GDPR - most notably the US.

Some have viewed the proliferation of regulations and restrictions on data sharing as little more than protectionist measures. While there have indeed been certain regional measures to promote industrial strategy such as the US Chips Act or promote ESG such as the EU Digital Product Passport (DPP), the main regulatory drivers in data protection have stemmed from cultural differences - in the EU privacy is seen as a human right, whereas in the US national security is seen as more of a priority. This cultural and regulatory mismatch, along with calls from the EDPB and others for the US to strengthen safeguards on the collection and use of personal data by its intelligence agencies, has led directly to the demise of both data sharing agreements, Safe Harbor and Privacy Shield.

While efforts to enact federal privacy regulation in the US and to agree a transatlantic 'data bridge' will go some way to allay concerns, gridlock in congress is preventing any real reform - let alone the introduction of the kind of independent judicial oversight and redress that would satisfy the Europeans. Therefore, for the foreseeable future any data transferred to a US cloud or SaaS provider (even to their data centres here in the EU or UK) will count as an international data transfer, triggering the need for supplementary measures such as encryption. This makes data sovereignty not just a strategic consideration, but a practical necessity.

In practical terms, this means that sensitive data sets, from your most confidential data to the personal information of clients and staff should not be stored or processed in data centres, in public clouds or in SaaS systems that are operated by US firms unless the data is encrypted both at rest and in transit and the encryption keys also are retained by you and not shared with the hosting firm.

The need for supplementary measures can be avoided if all processing and storage of sensitive data (including backups) is done exclusively either on your own hardware or that of a sovereign cloud provider. Thankfully there is a network of local cloud providers that has emerged to provide exactly these kinds of sovereign cloud services and that use tools like VMware Cloud not only to shield data from prying eyes, but also to provide portability, interoperability and many of the other attributes described above.

It is as important to obey the law in your own country, as it is to protect sensitive data from others

With complex hybrid computing environments now a reality, data optimisation using a strategic data architecture across the entire technology estate is essential - as is end-to-end security. On top of this, your most sensitive data sets require a higher level of assurance - either employing supplementary measures, sovereign cloud services or both. This is why the Data SOS - Security, Optimization and Sovereignty - can no longer be ignored.

Bill Mew, Global Cyber Ambassador for the International Association for Risk and Crisis Communication (IARCC.org)