Dealing with the Challenges of Data Sovereignty
By Paul Oor
My apologies for the blunt title of this article. Like any title, it’s meant to trigger your attention. In this case aiming your attention at the more physical aspects of Data Sovereignty. The considerations and Top-10 checklist in this article are valid for most organizations and Businesses. Regardless of your business profile, operating on the white side or dark side of the spectrum. This article and the checklist in particular are intended to be read and dealt with on a managerial, Boardroom level. Supporting– and supported by professionals, i.e., the Security- and Data Protection Officers (CISO, DPO).
I’m pleased to notice that IT and Data management are shifting to a commodity. There is subsequently noticeable improvement in the collaboration between members of the Boardroom and their infosec- and Data protection professionals. Nevertheless, reactions to my earlier articles, presentations, professional experiences and reports in the press show that we still have a long way to go. It will still take some time before the majority of managers and members of the board take full, informed, responsibility. The width and depth of the security- and Data protection topics we’ve got to cover is very interesting to us as professionals. However, for boardroom members, our concerns and advice are often overwhelming and confusing as they are already dealing with so much dynamics and volatility. Professionals therefore, have to focus on specific concerns and simplify whenever we can. A good and nowadays even essential place to start is to provide guidance and support in deciding where to store and process the Data your organization is responsible for. In this article, I’ll give some practical checkpoints to be discussed on a business management level. Intended to trigger and support a discussion ending in a decision which ensures your organization’s Data resides and is processed in a location with an acceptable risk profile.
Introduction, Data Sovereignty
In a world where most Data is processed and stored across geographical borders and supported by foreign technologies many governments are raising concerns around Data Sovereignty.
Although Data Sovereignty is a relatively new concept, the definition is hardly disputed and the Atos’ definition is fitting for this article: Data Sovereignty refers to the degree of control an individual, organization, or government has over the Data they produce and work with (local or online). In contrast, Technological Sovereignty is the degree of control the organization has over the technology it uses.
Data Sovereignty and Technological Sovereignty are the two pillars of Digital Sovereignty. In this article, I’ll address the degree of control an organization should be looking for, specifically for data storage and processing. Aligned with the World Economic Forum (WEF) definition, “The ability to have control over your digital destiny – the Data, hardware, and software that you rely on and create.”
Although Data Sovereignty covers many topics, physical aspects of storage and processing of Data play an increasingly important role. In Europe, the public debate on Data storage and processing is open and fierce. In many other parts of the world the topic appears to be dominated by State- and Commercial plans-within-plans and schemes-within-schemes, from an offensive and defensive perspective. The latter approach is usually supporting the agenda and motives of both state- and commercial organisations in these regions. Treating data as a strategic asset and often disregarding privacy constraints imposed by ethics, privacy laws and regulations. These agenda’s should be taken into account while you are defining your organisations’ Data Sovereignty strategy!
In this article I will use the abbreviation ‘DC’ quite often.
When your big computers are physically close to your business and directly controlled by your organization, please read DC as a traditional Data Center. That’s nowadays not often the case anymore. So, most of the time I’m challenging you to look at someone else’s large computer with your data on it as a Data Colony. A colony with specific advantages and with an elevated risk profile for your organization at the same time. The risk levels depend very much on the traditional physical and logistical risks. But nowadays even more on the sovereignty of the country where the DC resides, the (commercial) sovereignty of the DC-service provider and the availability of lengthy network connections, usually passing through various sovereign regions too.
Flashback… lessons from the past
Even before I got professionally involved in the IT industry, I was involved in crucial Data transport, processing, and storage activities. In the 1970s, I worked briefly as a driver for a Bank. I was transporting kilos of continuous stationery  (form paper) to and from a central Datacenter (DC) and the branch offices. During the day, the bank employees made notes on the local client’s transactions (deposits, withdrawals) on these computer prints. We collected these printouts with handwritten notes in the early evening and drove them to the Banks’ DC, where data-typists processed the modifications. We then returned the updated stationery to the local branches in the very early hours of the next day. This daily operation in The Netherlands involved over 70 cars and the involvement of additional local taxi companies.
I know. Sounds crazy from today’s perspective. But at the time, it was a very robust and efficient system. It taught me lessons on efficiency and continuity which I’m still putting to good use every day. The capacity of Data connections, capable of handling these – at the time considered – vast amounts of Data were not available or too expensive then. It was a very slick operation with lots of fallback, scenarios, e.g., alternatives in case one of our vehicles broke down or rerouting us, as Data carriers, to the alternative DC when the prime DC was unavailable. Extremely reliable, simple, and even cost-effective. We were always proud to have all the customers’ Data available at the branches before the offices opened at 9 AM.
In that short period, I learned a lot about making simple, business-wise decisions related to Data security, availability, and continuity.
Other valuable lessons take us back even further. In the past, The Netherlands prospered thanks to state-sponsored piracy. Private companies established colonies and safe harbors to store their loot and secure shipping routes the hard way with the government’s blessing. You might recognize the analogy with today’s activities of IT pirates, i.e., state-sponsored hackers, Data Colonies (DC), and international routes, i.e., network connections. It might give you a tangible reference for the threats you must consider to maintain your organization’s Data Sovereignty, understanding the means, motives, and opportunities of those interested in your new gold, i.e., Data! States and ‘their’ pirates knew then and now know how to deal with, e.g., opportunities, risks, opponents, safe harbours, global supply chains, ransom, shifting loyalties, and ruthless business operations. Not much has changed over time.
Bottom line; Digital Sovereignty is about controlling, developing, and maintaining defensive and offensive capabilities next to regulation and legislation. Where can- and may we process our Data, in which Data-colony? Who can be trusted, legally and effectively, who’s reliable, in the long run?
What’s your safe Data harbour?
Most NL and EU Data reside in foreign Data colonies. That usually isn’t the case for organizations and citizens of, e.g., China, Russia, and the U.S. Remember; data availability and access depend on the willingness and approval of your Data hosting provider when you’re not running your own DC . And on the availability of international digital supply chains, i.e., networks.
Organizations should carefully (re)consider where their Data is processed and stored. The strategy must consider a complex variety of topics which are, unlike in the past, not limited to financial and technical parameters.
I’ve outsourced most DC activities. Should I bother…?
A few decades back, I learned my lessons on ‘where to store our Data’ while being involved in large companies who were building and maintaining their own Data Centers. We used extensive assessments to decide on the geographic location and investments in the physical characteristics of the Data Center. Nowadays, most Businesses have moved from operating their own DC, i.e., CAPEX, to outsourced services, i.e., OPEX. However, there is a noticeable reverse movement as well.
Outsourcing doesn’t mean the checks we went through back then can now be skipped. Instead of taking direct on-site control for the risks of operating your own DC, we should now ensure that our DC vendors have validated risks and are willing to share the risk profile with you. Regardless of the current reputation, certification, and accreditation of the DC vendor, you should regularly validate if their position and risk profile match your organization’s risk profile. Times have changed and will change again; old and new critical criteria must be evaluated often. Keeping the earlier mentioned historical analogies in mind.
Top-10 Checklist for your big computer or someone else’s DC.
To support these repetitive assessment(s), the following risk-based top-10 is generic. Applicable when you’re running your own DC or validating the infrastructure- or cloud-based Data services procured from a 3rd party. Data hosting and cloud solutions are great but depend on the availability of a DC and networks. Often governed by a 3rd party, their (sub)contractors, and even regional governments. Regardless of the assurance- or certifications they presented, discuss the following topics to determine whether the supplier’s risk profile matches the one of your organizations.
1. Natural disasters. Hazards like forest fires, flooding, and hurricanes.
Hazards like forest fires, flooding, and hurricanes are standard topics but in The Netherlands and Europe often taken for granted. Working for a Global Company, I’ve experienced the impact on the availability of DCs and its supporting workforce and supply chains e.g., whenever floods in India or tornadoes in tornado alley in the U.S. occurred. With the impact of climate change, this item deserves a more prominent position in your strategic assessment. Even in NL or Europe!
2. People: DC proximity to end-users
Despite today’s high-speed network connections and redundancy of DC’s all over the Globe, you should still consider latency and availability of the required network connections as tangible risk factors. The most straightforward approach is to operate your DC or procure DC services close to your end-users who are relying on the Data in this DC. Especially with the rising demand for speed and volume.
3. People: availability and reliability of support staff and suppliers
Even with today’s remote support and darkroom solutions, I prefer to ensure that skilled support is available to be on-site in a DC at short notice. If even to operate an off/on switch manually or replace systems and components. Hence, depending on your acceptable risk profile, the physical availability of DC specialists reduces response times and risks of interrupted commutes. On the other hand, a natural disaster in the DC area might also impact this staff and their families. So, again depending on your acceptable risk profile, ensure the availability of DC support with a Plan B. And when this staff resides close to the DC, you will not forget to include them in your location assessment when evaluating regional Data protection laws, background check opportunities, work ethos, social attitude, political stability, etc.
4. Public physical infrastructure; air, road, train.
Apart from network connections, there is a need to assess the availability and quality of roads, railways, and airports. In Europe, we’ve become accustomed to high-quality infrastructures. This comfort should not be taken for granted, considering, e.g., labour strikes, climate change, and political instability, even in Europe. It’s great when you or your supplier have emergency power generators for the DC available. The generator quickly becomes useless when the fuel supply can’t be replenished, or spare parts and replacement components can’t be flown in time due to strikes, traffic jams, political disputes, pandemics or special military operations.
5. Local real estate situation
The local real estate situation is particularly relevant when planning the physical location for your own DC or monitoring the planning developments in the DC’s neighbourhood. Yes, really… I’ve encountered the sudden erection of a fuel station and even fireworks storage as a neighbour to a DC. And crashing computer drives due to vibrations from a new high-speed railway or pile driving during construction activities next to the DC. Should you explicitly challenge or query your DC- provider on these risks? That’s probably taking it a bit too far. They will be driven by their business case to deal with these tangible risks for their DC operations. As the DC is usually situated abroad, effectively evaluating and tracking their physical security situation is pretty hard for you too.
That constraint applies to some other topics in this checklist as well, but for many of these other parameters, the DC provider will offer you service options to choose from; depending on your business requirements, risk appetite, and the price you’re willing to pay.
6. The trading routes… network connections
We’ve become accustomed to increasing network speeds and redundancy. These have become a commodity from an availability and financial perspective both. Quite impressive… considering the ever-increasing amount of data we send through these routes and our dependence on these facilities to ensure the transport of our Data from and to DCs and devices. I think we’ve become too complacent and relaxed on this topic. Despite much redundancy, there are still many technical, physical, environmental and even political risks that could hurt your organization. The network risks assessment should include, e.g., the unpredictability of both Global politics and large commercial operators. And even the technical impact of climate change. And yes… proximity will also reduce your threat surface for these risks.
7. DC Power Supply
No Data processing without electricity… Availability of electricity is therefore one of the most classical checks when talking about and classifying DC availability. Solutions like a multi-supplier strategy with split, redundant power supply connections entering the DC, UPS equipment, and emergency generators have become the standard for most professional organizations and service providers. These measures are still relevant, but the characteristics and concerns related to Power Supply have also evolved. They are not limited to the more noticeable new threats resulting from political instability and extreme weather conditions. Climate change has escalated the need for organizations to consider and contribute to sustainability tangibly. In this case, to reduce the use of fossil fuels and make the most of green energy while at the same time avoiding negative publicity, greenwashing, and not-in-my-backyard debates. Power availability has taken a completely new turn with grid congestion issues as well. Data storage and processing is and will remain a major significant energy consumption industry while, at the same time, we’re in a dramatic energy conversion. So, next to the classic power supply availability checks, consider social acceptance, sustainability, and grid congestion when deciding where to build or procure your DC.
8. Legislation and regulation
Considering laws and regulations, deciding which Data Colony your Data will live in is complex. Highly dependable on your organization’s profile, interest, and markets. On the one hand, operating a DC facility in regions with powerful, protective laws might put you at an advantage. On the other hand, it might be perceived as a business development constraint. The continuous debate between the EU and US governments and companies, offers at least some strategic transparency. But for most other countries, the landscape is very diverse and unpredictable, to say the least, from a DC operator as well as a customer’s perspective. When considering the dynamics in this field make sure strategic legal specialists are involved in your decision-making process. In particular when considering storing and processing your Data abroad.
A few years back, I would never have dreamed that I would pay as much attention to this topic in my checklists as I do now. I touched on the matter earlier, e.g., introducing checks when selecting potential DC locations.
Nowadays reliability and robustness of your Data processing depend on the geopolitical situation. Concerns are not limited to legislative issues or tangible availability, confidentiality, and integrity threats. Softer themes are also relevant, e.g., will your customers and the general public accept how and where your organization is processing or accessing their Data. Government concerns about National Security and Data Sovereignty result in more government-supported initiatives as well. New regulations and legislation and shifting loyalties and alliances.
So, which company, country, or region is considered reliable enough in the long run?
10. Finance, the Business Case
Finally, there it is. Money will always be a factor in your equation and decision too. Data generates financial revenues or an alternative added value for today’s organizations and has become the most critical asset. The rapid development of Artificial Intelligence (warfare included) will increase the value of Data even more. Combining this and the previous 9 themes is the bases for a business decision on how much to spend on Data storage and processing e.g., considering alternatives like your own DC, procurement of DC-Services, or a hybrid set-up. The ideal choice for your organization is always a combination of your business model with financial opportunities or constraints; e.g., can you even afford to choose between CAPEX or OPEX once you’ve selected your preferences based on a strategic risk profile?
Dealing with the Challenges of Data Sovereignty involves many decisions on the relevance and importance of available options while accepting uncertainty in a complex, dynamic world. The importance of Data for any organization is increasing and undisputed. The IT-industry has become mature on the classical themes ensuring continuous operations of Data Center facilities like those addressed by the Uptime Institute. The top 10 considerations in this article aim to revisit the traditional risks and add new threats to the equation while stressing the importance of continuous monitoring  of your organization’s Data Sovereignty in a dynamic and volatile world.
I’ve focused on the physical aspects of Data storage and processing. We’re getting so accustomed to Globally interconnected systems and often outsourced infrastructures that we risk forgetting that Data physically resides somewhere, either at rest or in transit. Strategic decision-making, matching your organization’s risk- appetite and profile on the physical aspects of Data storage and processing is crucial for future growth and success.
Management often assumes their DC staff and providers have taken all the proper measures to ensure Data Sovereignty. Considering today’s IT maturity, that’s usually indeed the case only for the traditional themes. Decisions on DC services and thus Data Sovereignty on a physical level are strategic. CISO’s and DPO’s should take an interest Data Sovereignty to support their management in the decision making and continuous monitoring process.
The Golden Age of Piracy and State-sponsored piracy is back. So unfortunately, business management need to (re) consider where to stash the organizations’ Data loot. Walk through the checklist frequently, at least once a year, with the support of internal or hired professionals with a strategic view on security and privacy risks. To answer questions like: who do you trust in the long run with your license to process, which Data Colonies and safe harbors match your organization’s risk profile in today’s exciting but complex world?
 Digital sovereignty for Europe (europa.eu)
 e.g., Rackspace Cloud, Oracle Cloud, Google Cloud platform, IBM Cloud, Microsoft Azure, Amazon Web Services or even Alibaba Cloud (Aliyun)
About the author
Paul W.M. Oor CISO, CISSP, CCSP
A few decades back computers entered public and private organizations. Paul then decided to change his initial career path as a Financial Controller towards ICT management. Intrigued by the complex puzzle of effective and affordable risk management he subsequently focussed on information security and privacy. With more than 20 years’ experience as CISO and Privacy Officer in a variety of (inter)national organizations Paul nowadays acts as interim security manager, consultant and program manager. Next to his commitment to ensure security and privacy compliance, Paul always aims at increasing effective digital resilience. First; by increasing awareness and commitment on all levels in the organization and that of senior management in particular. As such he considers his original background as a financial controller still to be extremely valuable while discussing risk profiles and investments. Secondly by improving collaboration and sharing information and experiences amongst security- and privacy professionals. As such Paul was e.g., one of the founders of the ISAC-MSP as well as the ISC2-chapter in The Netherlands. He published articles, blogs and provided presentations on a variety of information and privacy related topics. His long-time affiliation with the world of aviation provides him inspiration and tangible examples of enhancing safety and security by sharing knowledge and experience.
The author alone is responsible for the views expressed in this article. The views mentioned do not necessarily represent the views, decisions or policies of the ISACA NL Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA NL Chapter.
All reasonable precautions have been taken by the author to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the author or the board of ISACA NL Chapter be liable for damages arising from its use.