A reasoned approach to managing digital sovereignty
The cloud is getting bigger and more complex to manage by the minute. According to the global edition of Thales’s 2022 Cloud Security Study:
The shift to modern, multicloud infrastructure is in full swing, and organizations have to build security capabilities that will support it. ... Sensitive data is stored across multicloud environments, and data storage and classification are major concerns. Failed audits and cloud data breaches are common…. With increasing multicloud use, security teams need tools and capabilities that can make them more efficient in securing multicloud environments with centralized control of their multicloud security operations. While there has been an improvement in enterprises using encryption to secure sensitive data in the cloud, this remains an area where continuous improvement and consolidation are necessary.
The cloud is also, in conjunction with the human right to privacy, the reason we have well over 100 (at last count) digital sovereignty regulations around the world. What does that imply for the CISOs charged with reducing the digital sovereignty risk their enterprises face while enabling the agility these enterprises need to be competitive?
Deloitte's Chief Cloud Strategy Officer David Linthicum recently observed that this is a challenge for CIOs:
“[Enterprises] can’t quadruple their ops budget and ops tools. In other words, adding more people and more technology. So they have to figure out how to do things in a smart way which is going to allow them to run an environment where we’re moving from say: 1,000 cloud services and applications under management, to as many as 10,000. And doing so with the same amount of resources. That’s normally what we’re wrestling with these days.”
Thales’s response to this challenge is technology that enables customers to maintain control of their data to the degree customers feel necessary to comply with regulations and yet be operationally agile. In addition, Thales technologies provide customers with ways to automatically deal with the complexity involved in discovering, protecting, and controlling sensitive data wherever it is. See our eBook “Achieve Digital Sovereignty with Thales for more on this.”
My colleague Rob Elliss discussed in a recent blog the importance of the three pillars supporting digital sovereignty:
Data sovereignty -- maintaining control over encryption and access to your data. This ensures sensitive data doesn’t fall into the hands of a foreign entity without express permission resulting in non-compliance with regulations.
Operational sovereignty -- giving an organization visibility and control over provider operations. This ensures bad actors or malicious processes cannot access, or prevent you from accessing, your valuable data, such as in the case of privileged user access or a ransomware attack.
Software sovereignty -- running workloads without dependence on a provider’s software. This gives organizations the freedom to store and run workloads wherever desired to maximize performance, flexibility, and overall resilience.
From a regulatory perspective, all these need to be managed according to the sovereignty demands of the country in which the data resides (or from which it originates). The following diagram illustrates the idea of balancing scale against local control in different digital sovereignty environments.
A great example of how this can work in a specific country is the “Trusted Cloud” offering, which our subsidiary S3NS has been developing with Google Cloud in France. S3NS’s mission is to help public and private organizations in France benefit from the power of the Google Cloud Platform (GCP) while protecting their sensitive data in compliance with the criteria of France’s national Information Systems Security Agency’s (ANSSI) SecNumCloud Label for a Trusted Cloud.
Currently, S3NS is commercializing “Local Controls with S3NS", a solution that complements the standard high security and performance specifications of the Google Cloud Platform with guarantees on data location and localized support, and additional security that includes encryption-controlled data access operated by S3NS. This offering enables organizations to start their move to the French “Trusted Cloud” now but is not a labelled offer by the French ANSSI
The new company, majority-owned and fully controlled by Thales, is under French law and follows the October 2021 partnership announcement between Thales and Google Cloud to jointly develop a locally compliant Trusted Cloud offering. S3NS will offer from the second half of 2024 its “trusted cloud” service. This will ultimately combine the full performance, services, and applications of Google Cloud technology. It will also enable protection against extraterritorial foreign laws and compliance with the requirements of the “Trusted Cloud” label of France’s Information Systems Security Agency (ANSSI) in the frame of the French State strategy. S3NS will directly operate data centers to ensure data and workload localization in France. Data centers and engineering assistance will be available this year and the recruitment of engineers who will operate the “Trusted Cloud” will begin.
S3NS's first offering is "Local control with S3NS," which will offer Google Cloud customers in France continued high public cloud performance with added capabilities to localize clients’ data in France or Europe, as needed or preferred. Customers will be able to restrict data access for administrative services and technical support solely to European Union locations. Cryptographic control of data access can be achieved with external encryption key management from S3NS. This first offering brings:
Additional security guarantees
Additional automation to simplify operations
Additional transparency to increase customer confidence in cloud operations
Expect to see more offerings like S3NS from Thales soon.