Is your data truly secure?

Toni Galo

August 30, 2024

Data security, sovereignty and integrity are business-critical and thus always need to be transparent.

The past 50 years have been heavily marked by fast technological advancements that have had an extraordinary impact on our daily lives. In the 1970s, computers and the internet were things only governmental institutions were using! There was no on-demand television or instant messaging – people had to keep track of their favorite TV programs in newspapers and had to either make a phone call or meet up personally to talk about their day. Today, our devices are superpowered and our internet connections are lightning fast, all at mostly affordable prices. Humanity is more connected than ever, but how does this impact our private lives and the security of our digital identities? How do you make sure that your data is your own in such a fast-paced world?

What’s the difference between data security, integrity and sovereignty?

Let’s first set a common understanding of the key terminology:

Data security is the process of protecting data from being accessed, manipulated, or corrupted by unauthorized personnel or applications during its lifespan. It includes activities such as data encryption and hashing.

Data integrity (also called data quality) indicates how consistent and untampered-with a set of data is, regardless of where and how it is stored.

Data sovereignty makes sure that your data is subject only to the laws of the country in which it is located.

Between our social media accounts, the online shops in which we’ve saved our payment data for faster transaction processing and the occasional sweepstake we’ve shared our personal address with in case we win something, we tend to forget about how compromised we could be. Even if we’re not directly the victims of a large security breach, such as the Yahoo security breach in 2013, during which a whopping 3 billion accounts were compromised, the data we willingly share with multiple platforms is often shared with or sold to third parties – and often isn’t anonymized.

What are the dangers of mishandling or corrupting data?

A recent summit of data security and sovereignty leaders focused on discussing some of the topics we’re talking about here. In the recorded interview, the cloud leaders of NXO, OVHcloud and Alcatel-Lucent Enterprise came together to discuss what it takes to guarantee total and transparent data sovereignty.

Sylvain Rouri, Chief Sales Officer at OVHcloud, compared data to a locked bicycle: “Encryption is just the lock on your bike. It doesn’t prevent the bike from being stolen.” He also made it abundantly clear that true data sovereignty can only be achieved when we know and understand all the layers. We need to ask “Who is handling the data?”, “Where is the data stored?” and “How is the data managed?”. If these questions do not receive clear answers, it should be considered a red flag.

The dangers of mishandling, leaking, or corrupting someone else’s data have reputational implications as well as legal repercussions. The security breach Target jeopardized approximately 40 million credit and debit cards, resulting in monumental sales decline and thousands of employees losing their jobs. It took years to salvage the damage.

The three challenges of true data sovereignty

Moussa Zaghdoud, EVP of the Cloud Communications Business Division at Alcatel-Lucent Enterprise, highlighted the risk by noting that if you communicate, you’re exchanging data. He and Rouri agreed that very few certifications out there truly regulate and guarantee data sovereignty. Although France is leading by example with the ANSSI SecNumCloud certification, there remains no centralized certification that guarantees data sovereignty on a European level.

Zaghdoud noted three big challenges for vendors when complying with regulations. First, make sure to use best-in-class encryption mechanisms and state-of-the-art technology. Second, fully secure all data wherever it is located or accessed from. Last, and maybe most important, retain a smooth and intuitive user experience.

Understanding the layers of a true sovereign solution and how they come together is what seems to be the answer. Starting from the ground up, the infrastructure needs to comply to all local and international regulations and standards. The solution you are building on top of it then needs to meet all security standards for encryption, technology and interconnectivity. Data needs to be protected not only when it is stored, but also when it is in transit. The last piece of the puzzle is the integrators at customer level, who must ensure that data is protected on their end, regulate how and if it is shared with third parties and that the solution is deployed correctly.

Trust and expertise are the foundation of data sovereignty

With every new encryption method and technology comes the need to adjust existing regulations and laws. Sometimes those adjustments are minor and easily executable, but a change in technology can also lead to a complete obsoletion of prior laws. The latter situation has a bewildering impact on all three layers – infrastructure, solution, and deployment. François Guiraud, Head of Business Development & Digital Transformation at NXO France, says that service providers and integrators are closest to the customer. They need to work hard to earn accolades and position themselves as trusted advisors.

It is a constant war of attrition to keep ahead of ever-changing trends and technologies, always balancing what’s new and what’s well-established. So long as this is controllable by local authorities, we can determine data sovereignty. The real confusion starts when we start deploying solutions from vendors across the globe, or more specifically, when using solutions managed by US-based enterprises in Europe.

How the CLOUD Act endangers data security and data integrity

What may seem harmless at first glance could turn out to be a serious breach of data sovereignty and integrity. In 2001, the US government issued an anti-terrorism law called the Patriot Act, empowering them to enforce access to any data stored inside the US. This would be quite easily countered by hosting the data in another country, were it not for its troublesome extension of reach via the CLOUD Act (2018), which extended  the Patriot Act from US-only to worldwide reach if the enterprise handling the data has a US headquarters.

In addition to regulations, laws and technological breakthroughs, unexpected global developments, crises or collapsing markets can cause unforeseen sanctions that could inflict grievous wounds on your organization. Rouri of OVHcloud encapsulated this by saying, “You can only achieve full trust by completely understanding all the layers. If you don’t, then you cannot redeploy, protect, scale, or revert. You are basically a prisoner of the solution you have chosen.”

In conclusion, if you truly want to make sure your data is secure, sovereign and untampered-with, inspect all layers of the solution you are seeking. Make sure that everything is laid out to you transparently. Cover everything from how and where a solution is hosted to who is developing, managing and deploying it. Limit access to third parties and ensure when access must be granted, that it is encrypted and secured from an end-to-end perspective. Your data is your own, but it sometimes takes a bit of reading between the lines to make sure it stays that way.