Cyber security has seen a significant rise in its market in the last decade since many MNCs have now moved on to online business platforms the transparency and the threat to their network, data and servers have increased significantly and so the need for cybersecurity and the right and appropriate knowledge to prevent their systems and servers from getting attacked is now of prime importance. With the emergence of global data privacy regulations such as GDPR, organizations that collect personally identifiable information (PII) must answer any question: is data subject to the local laws of the processor or the person?
Data sovereignty refers to the concept that the data an organization collects, stores, and processes are subject to the nation’s laws and general best practices where it is physically located. Closely connected to this concept is data localization – the idea that data should be processed locally and remain within the borders of the jurisdiction where it originated. As there is no clear-cut guide on how to effectively navigate the patchwork of global data protection regulations, organizations, countries, private firms, and upcoming start-ups are increasingly adopting data localization policies believing this approach will not only ensure regulatory compliance but also strengthen data protections. However, even this approach is not without its risks. To start, the determination of data sovereignty is not always as clear-cut as it seems. For example, if a company based in Germany uses a U.S.-based cloud provider such as Google, the data is subject to U.S. law even if the data is still physically stored in Germany.
One real-world example of this is ‘Tik Tok’, which stores its data in Singapore and the U.S. so that it can’t be subpoenaed by the Chinese government. However, its parent company, Byte dance, is based in Beijing and thereby subject to intelligence requests by the Chinese Government as is any data Tik Tok shares with them. Secondly, the hard data localization policies disrupt global data flows. For organizations that manage a large number of transborder activities such as financial institutions, pharmaceutical companies, airlines, and even hotels, this can pose major operational challenges. The data storing and its viewing from an international use has never been easy. It is developed each and every day and takes hours of work to make it easily available to anyone who surfs the internet looking for the same.
The process of this data being made easily available to anyone and everyone who wishes to access it at the tip of their fingers has never been easy. The servers are stored physically in some other country, the host company is in some other country, the service provider is in some other company and the data provider and the viewer are in some other countries so it’s a global process that people don’t see but tend to understand after an explanation. Last but not least, setting up data centers in every country where one does their business is not realistic for many global companies. Not only would this approach be incredibly expensive, but not all countries have the infrastructure or regulations to support such endeavors. In such environments, the risk of data breaches could increase. Also the government norms, their policies, their climatic conditions, and their laws would all affect us and our setup that is being planned in that particular country.
Data Sovereignty Solutions
One of the most straightforward data sovereignty solutions is encryption. This is the most widely used technique to avoid any sort of first contact with any group or a person who attacks the system in order to obtain ransom in exchange for it. Many MNCs across the globe use this as their first line of defense as it is cheap and very efficient to any foreign agent who wishes to penetrate the system. Data encryption protects data by converting readable, plaintext data into an unreadable, encoded format known as ciphertext. Authorized users can unscramble encrypted data using a key. Thinking back to the example we mentioned earlier of the German-based company and Google. If the data were to be encrypted, Google technically wouldn’t have access to it and therefore the data would no longer be subject to any U.S. subpoena power.
Even with encryption and other forms of data masking, data sovereignty and its due diligence and planning must be built into one’s multi-cloud strategy. with all the blueprints for the system to have maximum transparency and for the developers to have a clear vision of any penetration attacks and also the leaks if any. The um CISO must partner with both stakeholders and cloud providers to determine which data should be stored where not only based on costs but security and accessibility as well.
Written By:- SHASHANK MISHRA