Roughly the past 50 years have been heavily marked by fast technological advancements, and a bit more recently, by the internet. The impact these breakthroughs had on our daily lives is extraordinary. Just imagine that in the 1970’s computers and the internet were things only governmental institutions were using. There was no on-demand television or instant messaging – people had to keep track of the TV program in newspapers and had to either make a phone call or meet up personally to talk about their day.

Fast forward 20 years – we’re now in the 1990s – the official commercialization of the internet and the private computer. We’re still far from what we have today – PCs had less computing power than the very first iPhone, the internet was providing you with mind-boggling download speeds of up to approximately 5 Kilobytes a second and if you weren’t lucky enough to have an expensive ISDN-connection you didn’t have the luxury to surf and use your telephone at the same time.

It’s been more than 30 years since. Our devices are superpowered, our internet connections are lightning fast and all of that at prices almost anyone can afford. This has led humanity to be connected more than ever – freedom without end notwithstanding – but also not considering how this impacts our private lives as well as our digital identities security-wise. How do you make sure that your data is your own in such a fast-paced world?

What’s the difference between data security and data sovereignty?

To effectively tackle the topics of data security, integrity, and sovereignty, let us first delineate what the terminology means in laymen terms.

Data security is the procedure in which it is made sure that data is protected from being accessed, manipulated, or corrupted by unauthorized personnel or applications during its span of life. It includes activities such as data encryption and hashing.

Data integrity or often also called data quality, indicates how consistent and untampered with a set of data is regardless of where and how it is stored.

Data sovereignty makes sure that your data is always subject only to the laws of the country which it is located in.

Now that we’ve covered the basics and you (hopefully) understood the nuances, let us do a deep dive into why this is important. While we may not always have it on our radar, we at least subconsciously want our private data to be secure and tucked away behind impenetrable walls. Between the social media accounts, the online shops in which we’ve saved our payment data for faster transaction processing or the occasional sweepstake we’ve shared our personal address with in case we win something, we tend to forget about how compromising this could be for us.

Even if we’re not directly the victims of a large security breach, such as the Yahoo security breach in 2013, during which a whopping 3 billion accounts were compromised, the data we willingly share with the platforms we use is often shared with or sold to 3rd parties. This shared data is usually anonymized but, in some cases, it isn’t, making this a dance with the devil.

What are the dangers of mishandling or corrupting data?

Luckily for you, there’s been a summit of data security and sovereignty leaders which was focussed on discussing some of the topics we’re covering in this article. In the recorded interview, the cloud leaders of NXO, OVHcloud and Alcatel-Lucent Enterprise came together to answer questions on what is important to be considered if we’re to guarantee total and transparent data sovereignty.

Sylvain Rouri, Chief Sales Officer at OVHcloud, said it best by comparing data to a locked bicycle: „Encryption is just the lock on your bike. It doesn’t prevent the bike from being stolen.“ He also made it abundantly clear that true data sovereignty can only be achieved when we know and understand all the layers. We need to raise questions, such as “Who is handling the data?”, “Where is the data stored?” and “How is the data managed?”. If these questions do not receive clear answers, it should be considered a red flag.

The dangers of mishandling, leaking, or corrupting someone else’s data are not limited to only legal repercussions. Today, the far greater danger lies with the reputational damage that comes with data breaches. The best example of this would be the security breach Target suffered. Jeopardizing approximately 40 million credit and debit cards resulted in thousands of employees losing their jobs and in a monumental sales decline. It took them years to salvage the damage.

The 3 challenges of true data sovereignty

Moussa Zaghdoud, EVP of the Cloud Communications Business Division at Alcatel-Lucent Enterprise, said that, if you communicate, you’re exchanging data. He and Rouri also agreed that very few certifications out there truly regulate and guarantee data sovereignty. France is leading by example with the ANSSI SecNumCloud certification. Although many efforts to synchronize certificates across European countries are in place, there’s still a lack of a centralized certification which guarantees data sovereignty on a European level.

He highlights that when trying to comply to all the necessary regulations, vendors face 3 big challenges. The first one is to always make sure a vendor is using best-in-class encryption mechanisms and state-of-the-art technology. The second one is to make sure that data is fully secure wherever it is located or accessed from. And the last and maybe most important challenge he identified is retaining a smooth and intuitive user experience while trying to comply to all regulations.

Understanding what the layers of a true sovereign solution are and how they all come together is what seems to be the answer. Starting from the ground up, the infrastructure needs to comply to all local and international regulations and standards. If you have a strong foundation, you can start building your solution on top of it. The solution you are building then needs to meet all security standards in terms of encryption, technology, and interconnectivity. Data needs to be protected not only when it is stored, but also when it is in transit. The last piece of the puzzle are the integrators at customer level. They need to ensure that data is protected on their end, regulate how and if it is shared with third parties and that the solution is deployed correctly.

Trust and expertise as the foundation of data sovereignty

With every new encryption method and technology comes the need for adjusting existing regulations and laws. In some those adjustments are minor and easily executable while in other cases the change in technology may lead to a complete obsoletion of prior rules and laws. The latter has a bewildering impact on all three layers – infrastructure, solution, and deployment. François Guiraud, Head of Business Development & Digital Transformation at NXO France, says that service providers and integrators are closest to the customer. They need to work hard to earn accolades and position themselves as trusted advisors.

It is a constant war of attrition to keep ahead of ever-changing trends and technologies, always balancing between what’s new and what’s well-established. As countries go through their rude technological awakening and old laws tumble in the face of cyber threats and security breaches, lawmakers are coming up with new regulations to accommodate the rule of law. These regulations are then largely standardized, giving birth to auditors who carry the power to issue or deny certifications. So long as this is controllable by local authorities, we can determine data sovereignty. The real confusion starts when we start deploying solutions from vendors across the globe, or more specifically, when using solutions managed by USA-based enterprises in Europe.

How the CLOUD Act endangers data security and data integrity

What may seem harmless at first glance could turn out to be a serious breach of data sovereignty and integrity. In 2001 the USA government issued an anti-terrorism law called the Patriot Act. This law empowered the USA government to enforce access to any data stored inside of the USA. This would be quite easily countered by hosting the data in another country, were it not for its troublesome extension of reach via the CLOUD Act. This agreement was enacted in 2018 extending the Patriot Act from USA-only to worldwide reach if the enterprise handling the data has a USA headquarters. This basically means that, wherever your data is stored, if it is managed by a USA-based company, it is at risk of being compromised and therefore not safe nor sovereign.

In addition to regulations, laws, and technological breakthroughs, you may also end up in the crosshairs of unexpected global developments, crisis or collapsing markets. When conflicts between countries are born, the potential for unforeseen sanctions may result in collateral damage or even inflict grievous wounds to your organization. Rouri of OVHcloud encapsulated the very essence of this by saying “You can only achieve full trust by completely understanding all the layers. If you don’t, then you cannot redeploy, protect, scale, or revert. You are basically a prisoner of the solution you have chosen.”

To sum it up, if you truly want to make sure your data is secure, sovereign, and untampered with, you need to inspect all layers of the solution you are vying for. Make sure that everything is laid out to you transparently. Cover everything from how and where a solution is hosted, who is developing and managing it as well as who will be deploying it for you. Limit access to third parties and ensure when access must be granted, that it is encrypted and secured from an end-to-end perspective. Your data is your own, but it sometimes takes a bit of reading between the lines to make sure it stays that way.