Simplifying digital sovereignty in a multi-cloud world
Maintaining tight control of sensitive data is critical to digital business success, but how do you manage that complexity?
Sponsored Feature Sovereignty has traditionally been defined as the ability for a state to rule itself and its subjects, and it's been on the agenda since civilisation began. But only recently has digital sovereignty - the ability to control and make decisions about your own digital assets – emerged to become an issue in its own right.
"Broadly speaking, digital sovereignty means having control of your digital destiny," explains Tim Phipps, director of cloud alliances at French technology group Thales. "One level below that, it means that you're in full control of the software and the hardware and the data that your business relies on."
Having control of your digital destiny might not have seemed important when all IT did was run a batched payroll. Today, when companies live and die based on their use of technology which spans multiple devices, systems, applications, workloads and hosting locations, it's a much bigger deal.
It's a particular problem for companies using cloud service providers that don't tend to keep their data in one place anymore. Over 90 percent of organisations now have a multi-cloud strategy according to a recent Thales Threat Report. It also found companies mixing these multi-cloud environments with on-premises and collocated data centre operations, muddying the waters further.
That presents a number of challenges, including the costs involved in managing multiple encryption key stores and management processes as more data moves into the cloud for example. That means organisations often have to employ different teams to run different key management solutions (a recruitment challenge in itself). They also run the risk of extending the attack surface for hackers by fielding a series of disjointed data security solutions – each of which operates differing security policies and processes.
Like the internet itself then, digital sovereignty sounds simple enough but is a deceptively complex concept with many moving parts. To help organisations fully understand and address these challenges, Thales breaks sovereignty down further into three elements: data, operations, and software.
Data is what many people think of first when they hear the term digital sovereignty. This is a state's ability to protect its own data, and that of its citizens, from intrusion by other states. This has been a defining issue at the heart of internet governance during the last two decades.
"The thing that nations were concerned about, especially in Europe, was that a lot of that cloud providers (or hyperscalers) are all American," Phipps points out. "There were all sorts of concerns around these US spy laws."
The Patriot Act included language that granted US authorities possible access to cloud service providers' business records, which Microsoft later admitted put the privacy of non-domestic customers' records in jeopardy if the US government asked for them. The CLOUD Act, introduced in 2018, later solidified government investigators' ability to obtain files from companies processing data on foreign soil.
At the same time, there was an ongoing tussle with privacy advocates over data sharing between US and European companies. The Safe Harbour provision allowed US companies transfer to data from EU partners to the US if they promised to abide by several privacy principles. Privacy advocate and lawyer Max Schrems challenged this provision in 2015, which led to it being struck down and eventually replaced with the EU-US Privacy Shield agreement. Schrems challenged that, too, and it was declare invalid in 2020.
Now, the EU and US are taking a third stab at it with the Trans-Atlantic Privacy Framework. A draft adequacy decision, that attempts to replace the "Privacy Shield Decision" that was subsequently invalidated by Schrems II, has very recently been published by EU.
Initial feedback from privacy advocate Max Schrems is that the draft decision is almost wholly based on the known Executive Order that was previously thrown out. The expectation is that Max Schrems' team is likely to challenge this in the European Courts. Consequently, companies on both sides of the Atlantic remain unclear about what happens next and this can cause digital transformation projects to stall.
Phipps recommends that organisations put appropriate controls in place to protect their digital assets, so that they can own their own data sovereignty and speed up their journey to the cloud independently of geopolitical change.
However, this can present a considerable challenge in a multi-cloud and hybrid environment. Almost one in five respondents to the Thales survey said that they did not know where all their data is stored. Around half said that managing their sensitive data in multi-cloud environments is more difficult than looking after it on-prem. It's a situation that can have grave ramifications. The Thales survey also found 35 percent of respondents suffered data breaches or failed audits of cloud-based data and applications in the last year.
Operational and software sovereignty
The second class of digital sovereignty is operational, Phipps continues. "This is where you've got your data in the cloud and you're worried about an insider threat or bad actors," he says. "That could be a cloud engineer, but it could also be your own people." A rogue employee intending to seek personal financial gain, could pilfer your data, as could a disgruntled worker of your own, potentially at the behest of a third party.
The threat to operational sovereignty might also appear in the form of malware, a corrupted application, or ransomware that has harvested the login credentials of a privileged user to gain escalated access to sensitive data or systems.
Finally, Thales lists software sovereignty as an issue for companies. "This is the ability to run your workloads wherever you want," Phipps says.
Companies increasingly want choice when they go to the cloud. They might want to run most of their workloads with a specific cloud provider to get improved commercial terms, he explains. But regulators are concerned that, if there's no possibility to perform a controlled and prompt stressed exit, those companies are effectively putting all their eggs in one basket. Organisations are being encouraged to ensure that their mission critical workloads are secure and portable which helps ensure operational resilience and business continuity should something go wrong.
For example, the Bank of England's Prudential Regulation Authority, which succeeded the Financial Services Authority, has expressed concern over banks' reliance on cloud computing from a single vendor. It recommends that Financial Services Institutions adopt multi-cloud architectures to spread risk and avoid vendor lock in, whilst the Digital Operational Resilience Act (DORA) in the EU advocates a similar approach.
Consequently, banks are under pressure to share their workloads around and have backup cloud providers that they can switch to in the event of an outage or a breakdown in the relationship.
Protecting digital sovereignty in practice
Thales has made a business of supporting these various sovereignty requirements. It uses a four-step process to get its clients onto a positive footing where they feel completely in control of their own data, operations, and software.
The company begins with a process of discovery. You can't control what you don't know about, after all. So it seeks to answer the questions: Where is your data and what is it? How sensitive is it?
Many organisations don't know these basic facts, says Phipps. They're generating new data all the time, and it's no longer simply a case of classifying database records in known fields. "Increasingly, a lot of the sensitive data that's been generated is unstructured and appears in random locations," he posits. Increased cloud adoption and modern remote work policies have contributed to 2.5 quintillion bytes of new data being generated every day in emails, presentations and spreadsheets according to some estimates. Without outside help, it's much harder to track the location of the sensitive information those vast volumes contain.
To that end, Thales developed its Data Discovery and Classification (DDC) solution, which scans for specific data types according to compliance models in which the organisation is interested. DDC uses machine learning algorithms, and a reference library of pre-defined data privacy and regulatory templates such as GDPR, CCPA, LGPD, PCI DSS and HIPAA, to find sensitive data of interest and apply a risk score based on the client's policies and compliance. DDC can then recommend manual remediation or apply it automatically which saves time and helps minimise the attack surface.
Protection through multi-layered encryption
What does this remediation look like? This is where the second step of Thales' methodology - protection - comes in. This focuses mainly on multi-layered encryption, which it splits into three types: data at rest, in transit, and in use.
As Phipps points out, all major cloud providers encrypt data at rest by default. However, there's a caveat: many of them only encrypt it at the disk level. That may stop someone retrieving the data in the unlikely event that they steal a physical disk from the cloud data centre, but what if they hijack someone's account remotely? Few, if any, cloud providers automatically encrypt data above the disk level such as at the file, database, or application level, which can help mitigate this threat.
Thales provides solutions to encrypt data at multiple levels, including structured and unstructured data, to achieve defence in depth. Transparent encryption at the file level protects the entire database for around a two percent performance overhead, Phipps says. Clients can apply higher levels of encryption to specific fields in the database should they wish.
While that imposes an extra performance overhead, it also provides heightened levels of protection where needed. Security, compliance and performance are often subject to trade-offs. The key is to adopt a risk-based approach to ensure that the protection appropriately applied is based on desired business outcomes.
When it comes to in-transit encryption, TLS is the de facto standard. However, Phipps argues that this can often struggle under the huge volumes of data that some companies process in the cloud. Instead, Thales offers high-speed encryption in its Network Encryptor products, which Phipps says are faster than TLS and offer a higher degree of protection.
Thales also focuses on encryption of data in use, which fights tampering or snooping during cloud processing. "We've been speaking to some critical infrastructure providers like energy companies, and they're worried about running sensitive workloads in the cloud for safety critical applications," Phipps says. "If somebody injects some malware into a chip that is processing data, they could effectively perform a denial of access and take the whole system down."
To combat this, cloud providers are working on various confidential computing initiatives. In these services, a portion of the chip becomes a secure enclave under the customer's control rather than the cloud service provider's. Microsoft Azure, Google Cloud and AWS all have offerings here.
Maintaining data sovereignty in the cloud
The third strut of Thales' digital sovereignty service is control. Leaving those encryption keys in the cloud theoretically puts them under the cloud service provider's control, which is a clear threat to the customer's sovereignty. This renders the customer vulnerable to malicious behaviour or mistakes from a third party such as the cloud service provider's own support engineers. It also puts the data at risk in the event of a subpoena from a foreign state.
The solution to this threat lies in the separation of duties. Creating and storing encryption keys outside the cloud, separating them from where the sensitive data is stored, gives the customer ultimate control over the data. Should a threat to the data arise, the customer can withhold the keys. Because the cloud service provider cannot unilaterally access those keys, they cannot be compelled to hand over the data to a third party.
Some cloud providers have introduced services that allow customers to store their own keys for cloud-based workloads, creating a clear segregation of duties between cloud service provider and customer. Google Cloud's External Key Manager (EKM) is a case in point.
Thales has been working with Google Cloud to help customers manage control of their data, operations, and software while still enjoying the benefits of cloud computing. In December 2020, they worked to integrate Thales' CipherTrust Key Broker service with Google Cloud's EKM. This enables customers to generate their encryption keys for Google's cloud service while keeping the keys outside the Google Cloud environment.
Since then, the two companies have expanded the partnership to cover other services. In June 2021, CipherTrust Manager and Thales' SafeNet Trusted Access product were integrated to support client-side encryption for Google's Workspace service for example. This lets organisations encrypt Google Drive data using their own keys.
In the last year, they've also collaborated on a cloud-based platform that complies with the French government's Trusted Cloud label. This requires cloud service providers to host their servers in France and allow only European companies to operate these servers utilising European citizens while limiting data transfers to other countries. In addition, this requires to set out a series of legal, physical, operational and technical requirements.
In the meantime, Thales majority owned joint venture with Google Cloud, S3NS, is already enabling Google Cloud customers in France to restrict access to EU locations, with the help of its own key management services. S3NS manages high-level keys, identities and roots of trust, as well as checking Google Cloud updates and reviewing the source code. S3NS is also developing a Trusted Cloud-compliant service, scheduled for release in 2024.
Unifying cloud operations and key management while keeping keys under customer control solves one of the biggest problems in cloud security: the complexity of key management. The Thales survey found 57 percent of companies using at least five separate key management solutions, increasing the complexity and cost of managing data encryption. Aggregating and simplifying this key management will become steadily more critical as companies manage sensitive data in an increasingly distributed environment.
Monitoring digital sovereignty over time
As companies continue to expand their digital assets across complex multi-cloud and hybrid environments, they need a way to maintain visibility. This is where the final part of Thales' digital sovereignty process comes into play: monitoring. The company's CipherTrust platform, currently available as an on-premise product but soon to be launched as a service, provides a single pane of glass view of digital sovereignty across all of their tools and processes in multi-cloud and hybrid cloud environments. The system provides access to a range of third-party products alongside Thales' DDC.
Digital sovereignty principles and practices will only become even more complex over time, says Phipps. That's why he emphasises the benefits of building in privacy by design into hybrid multi-cloud architectures. Phipps also advocates the need for building human relationships based on trust and empathy that seek to maximize the customer experience.
"Technology on its own without the right partnerships at an advisory and supplier level probably won't make it easier for the customer to understand how to move forward," he concludes. This is a difficult puzzle to unravel, and it takes third-party expertise, and a partnership approach, to do it properly.
Sponsored by Thales.