The confidentiality, integrity and availability of critical data cannot be delegated to a third-party cloud provider. When companies jump into the cloud, how do they land safely?

1655857221 436 Navigating data sovereignty in a cloud first remote working era - Home Office 4US
Brian Grant, ANZ Director, Thales Cloud Security

Hundreds of millions of employees were moved to work from home in the wake of the global PAIN. Customers were challenging them for digitally delivered everything. Business leaders reacted quickly to survive in a fast- moving environment, and many jumped straight into cloud delivered digital services.

The cloud became the core of the work-from-anywhere workforce.

Speed and control are balanced.

A surge towards a cloud-first approach should not be seen as a bad thing. The flexibility to work from anywhere is proving beneficial to employees and a model that many expect to become a norm.

Many companies moved quickly over the last two years. If you crash on the first corner, there is no point in being the fastest car on the racetrack.

As cloud and hyperscale services mature, the complexity of shared responsibility is still navigating many cloud-first businesses. Businesses are still responsible for protecting the security of their data and identities even though they are using the cloud.

Data dependent organizations can’t take responsibility for confidentiality, integrity and availability of their data to a third-party cloud provider. How do companies land safely when they jump into cloud?

Cloud first challenges.

Despite the growth in cloud-first models, a survey shows that cloud privacy and data protection regulations are more complicated to manage than on-premises environments. One in three people admit to failing an audit for cloud applications or cloud data in the last year, and a third use more than 50 software-as-a-service applications.

The shift to the cloud and remote working makes it necessary for organizations to be more aware of data sovereignty. The CIO should not be solely responsible to tackle this challenge. IT security leaders, legal and procurement teams, risk managers and auditors are all involved.

Everyone who works with sensitive or critical data knows that the data cannot be kept out of the public eye. Poorly implemented cloud data security and human error have resulted in some of the most serious data breeches and professional embarrassments. Human error is one of the threats that businesses in the Asia-Pacific region are most concerned about.

Cloud service providers have taken action to encourage better data security practices. Typically, these have been involved.

  • Stricter user and administrator access controls,
  • Improved configuration documentation and best practices,
  • Better security monitoring and alerting, and
  • Prescribed use of cloud centric data encryption and key management.

Some of the risks associated with holding sensitive data in cloud environments have been addressed by this step in the right direction. It doesn’t address the demand from customers and governments for organizations to retain sovereignty over critical data and digital assets.

Whoever holds the key will have access to the data. Retention of control over who, what, when and where data is visible will become an executive or regulatory mandate to operate in the cloud.

According to the Data Threat Report, only 16% of organizations have complete knowledge of where their data is located. According to the World Economic Forum, almost all of the data is stored on server owned by US based companies.

Before companies think about compliance, regulations and rules, they have to consider how and where data is stored.

Migrating data to the cloud means that companies will have to choose between storing it in another location or replicating it in the cloud. To understand the regulatory requirements of each region, you need to specify the region in which the data will be stored.

It is a challenge for organizations to have access to sensitive data in a corporation. If an employee based in Australia accesses EU protected data inside his own organization, this could be considered an export of sensitive data and an infraction of the rules.

Losing control of data is a growing concern for businesses and governments all over the world, yet they often overlook the data in transit. Data flows relate to how data is collected and processed It’s important to understand data sovereignty in the source and destination region, and if there are legal issues, adjust data flows to make sure it ends up in the most appropriate legal jurisdiction.

  • Use security cloud key repatriation

For organizations that want to start the sovereignty recovery journey of data stored in the cloud, they need to look at taking back direct control over the keys. It is quite simple to achieve with the right approach.

It involves using a cloud key management solution to synchronise keys.

While not giving you direct control over existing cloud keys that have already been created and deployed, this cloud key repatriation gives you visibility into all of them.

It is the enemy of good security.

One of the lessons learned from the Pandemic was that security strategies must be flexible enough to deal with the hybrid nature of infrastructure, applications, data and users as both work-from- home and cloud become permanent. Cloud computing and remote working environments have a lot of complexity, which has always been the enemy of good security.