Navigating data sovereignty in a cloud-first, remote working era

Navigating data sovereignty in a cloud-first, remote working era

Data dependent organizations cannot outsource responsibility for the confidentiality, integrity and availability of their critical data to a third-party cloud provider. So, Brian Grant, ANZ Director, Thales Cloud Security, asks once companies have made the jump into cloud, how do they land safely?

Brian Grant, ANZ Director, Thales Cloud Security

In the wake of the global pandemic, companies across every sector moved hundreds of millions of employees to work from home. At the same time, they were being challenged by customers for digitally delivered everything. Business leaders reacted with quick, bold decision-making to survive in a fast-moving environment, and many jumped straight into cloud delivered digital services.

Almost overnight, cloud became the backbone of the work-from-anywhere workforce.

Balancing speed and control

A Covid-catalysed surge towards a ‘cloud-first’ approach should not be viewed as a bad thing. In fact, the flexibility to truly work from anywhere is proving beneficial to employees and a model that many expect to become the norm.

Many companies migrated at speed over the last two years, leaving control as an afterthought. But there’s no point being the fastest car on the racetrack if you crash on the first corner.

One thing many cloud-first businesses are still navigating today, as cloud and hyperscale services mature, is the complexity of shared responsibility. Despite deploying to the cloud, businesses are still responsible for protecting the security of their data and identities, on-premises resources and the cloud components they control.

Data dependent organizations cannot outsource responsibility for the confidentiality, integrity and availability of their critical data to a third-party cloud provider. So, once companies have made the jump into cloud, how do they land safely?

Cloud-first challenges

Despite the growth in cloud-first models, a Thales survey shows half (51%) of APAC businesses believe that cloud privacy and data protection regulations are more complex to manage than on-premises environments. A third (31%) use more than 50 SaaS applications and one in three (33%) admit to experiencing a breach or failing an audit for cloud applications or cloud data in the last 12 months.

The rapid shift to the cloud and remote working means organizations must be increasingly mindful of data sovereignty. Yet, the responsibility to tackle this challenge isn’t something that should remain solely in the hands of the CIO. IT security leaders, legal and procurement teams, risk managers and auditors must all be involved:

  1. Get the basics right

As everyone who works with sensitive or critical data knows, this data cannot sit in cloud environments unsecured. Over the years, some of the most serious data breaches and professional embarrassments have arisen from poorly implemented cloud data security and human error. In fact, three quarters (75%) of APAC businesses rank human error as one of the threats they are most concerned about while 80% are concerned about security risks of remote employees.

Consequently, cloud service providers (CSPs) have taken action to encourage the application of better data security practices. Typically, these have involved:

  • Stricter user and administrator access controls,
  • Improved configuration documentation and best practices,
  • Better security monitoring and alerting, and
  • Prescribed use of cloud centric data encryption and key management.

This is a step in the right direction and redresses some of the risks associated with holding sensitive data in cloud environments. Yet it does not address the emerging demand from customers and governments for organizations to retain sovereignty over critical data and digital assets.

Ultimately, whoever holds the key has access to the data itself. To operate safely in the cloud, retaining control over who, what, when and where data is visible will become an executive or regulatory mandate.

  • Understand your data

Only 16% of organizations across the APAC region have complete knowledge of where their data is stored, according to our 2022 Data Threat Report. Furthermore, the World Economic Forum estimates that over 92% of all data is stored on servers owned by US-based companies.

Before companies even think about compliance, regulations and rules, they must consider how and where data is stored.

Migrating data to the cloud means companies will need to select options for replication and backup, which in many cases will involve storing data in another geographical location. Ensure that you can specify the region in which data will be stored and understand the regulatory requirements of each region.

Who has access to sensitive data inside a corporation is another hurdle for organizations. For example, if an employee based in Australia accesses sensitive EU protected data inside his own organization, this could be considered an ‘export’ of sensitive data and an infraction of the GDPR rules.

Losing control of data is an escalating anxiety for businesses and governments all over the world yet they often overlook data in transit. It is essential to understand data flows because they relate to how data is being collected and processed. It is especially important to understand data sovereignty in the source and destination region, and if there are legal issues, adjust data flows to ensure it ends up in the most appropriate legal jurisdiction.

  • Use security cloud key repatriation

For organizations that want to start the sovereignty recovery journey of data stored in the cloud, they need to look at taking back direct control over the keys that secure it. The good news is that it’s quite simple to achieve with the right approach.

It involves using a cloud key management solution to synchronise cloud keys with an external key ‘security’ and management platform.

This cloud key repatriation, while not giving you direct control over existing cloud keys that have already been created and deployed, gives you visibility into all cloud keys your organization has and where they are held and used.

Complexity – the enemy of good security

One of the key lessons learned from the pandemic is that security strategies must be sufficiently agile to respond to a rapidly changing world, but flexible enough to deal with the hybrid nature of infrastructure, applications, data and users as both work-from-home and cloud become permanent fixtures. For all their benefits, cloud computing and remote working environments have layered on considerable complexity, which has always been the enemy of good security.

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive