Keeping Your Digital Destiny Firmly in Your Hands

Written by Welland Chu, Ph.D, CISA, CISM.

What Are the Top Priorities for Governments and Regulated Industries?

Great minds think alike. When it comes to cloud adoption, what are the 3 aspects that the governments and regulators of Japan, Australia, Europe, Hong Kong, India, and Singapore have in common? The answer is that all of them believe the cloud brings improvement in terms of agility and cost-efficiency. At the same time, they all acknowledge and place significant importance on maintaining their own digital sovereignty when migrating their workloads to the cloud.

Digital Sovereignty

Most cloud users and practitioners would appreciate the benefits of agility and cost-efficiency so I shall not dwell on these 2 topics further. Then, what is “digital sovereignty” and why is it important? The term refers to the ability to have control over your own digital destiny – the data, hardware and software that you rely on and create, as explained by the World Economic Forum. In a practical deployment scenario, Digital Sovereignty incorporates:

• Data sovereignty, which means retaining control of their data and cryptographic management, thereby keeping data within customers’ jurisdiction and avoiding subpoena threats or geo-political impacts such as the CLOUD Act,
• Operation sovereignty, meaning restricting access, thereby avoiding unauthorized access by privileged users, CSP admin or ransomware attack, and
• Software sovereignty facilitates multi-cloud operation, thereby avoiding vendor lock-in.

How to Realise Digital Sovereignty

Regardless of the cloud service offering (IaaS, PaaS, SaaS), organisations who deploy their workload in the cloud are ultimately responsible for the security of their own data, as explained in the shared responsibility model. Cloud user organisations should work with their cloud service providers to regain independent control over how their sensitive data is encrypted, who has access to their encryption keys, and where those keys are stored and managed. The procedural and technical means to achieve the objectives include:

• Bring Your Own Key (BYOK)
• Hold Your Own Key (HYOK)
• Bring Your Own Encryption (BYOE)

By retaining the management and control of their cryptography, an additional benefit to the cloud users include the mitigation of concentration risk by avoiding getting locked-in to a specific service provider.

Conclusions

Security and privacy are top concerns at government, enterprise, and individual levels. Those administrations in governments or enterprises who can demonstrate their due care on Security and Privacy will no doubt gain an upper hand in the minds of their citizens and service users. Taking control of one's own digital sovereignty means controlling one’s own destiny. Organisations who are migrating their workload to clouds should keep that within their grasp and not give it away.

About the Author

Welland Chu, Ph.D., CISA, CISM, is the Alliance Director, Asia and Pacific Region at the Cloud Protection & Licensing business unit of Thales. He serves as the Secretary and Vice President of Certification at the ISACA China–Hong Kong Chapter. During his almost 30 years in the security industry, Chu has led teams of security professionals in assessing and implementing security solutions for clients in the critical infrastructure sector. He welcomes comments and discussions on the article via email.