Sovereign cloud: The symbiotic relationship between cloud and security
When it comes to the cloud and security, it’s pretty much a symbiotic relationship. Organizations using the cloud will need to have security as part of the deal as well. As most cloud providers only provide an avenue for businesses to work, build, create, run workloads and store data, securing the data on the cloud is the organization’s responsibility.
Today, many cybersecurity solutions in the market can help organizations secure their data on the cloud. However, another challenge organizations face when using the cloud is how the data is being used. Regulatory and compliance requirements on data usage differs based on the industry and on location.
In fact, as privacy laws and regulations become more stringent in certain regions, many companies are choosing (or need) to move to sovereign clouds. Faced with changing regulations, it’s not surprising that compliance is a top cloud challenge according to 76% of organizations.
For companies that have customer data in multiple countries, it becomes a challenge to keep data secure. A sovereign cloud helps minimize risk and offers more robust controls and trusted endpoints needed to keep data secure and compliant. Sovereign clouds are necessary for certain regulated industries/companies and governments that ensure all data stays within a specific country and prevent foreign access to data under all circumstances.
When properly implemented, sovereign clouds can offer increased data protection, visibility, and enhanced control over sensitive information. However, this introduces potential vulnerabilities, such as increased exposure to cyber threats and challenges in ensuring the integrity, confidentiality, and availability of data. Striking the right balance between security and usability is crucial to ensure the success and widespread adoption of sovereign clouds.
To understand more about the sovereign cloud, Tech Wire Asia speaks to Darren Reid, APJ Security Business Director at VMware.
TWA: What are the factors compromising security in sovereign cloud environments?
Any cloud, sovereign or otherwise, faces security concerns. The point of a sovereign cloud is that the data they hold remains in the country or territory of record. As sovereign clouds prioritize adherence to local data privacy laws and regulations, it is essential that they are regularly updated as laws evolve. As more organizations move to the multi-cloud and store data in multiple places, it becomes challenging to ensure compliance with sovereignty laws while navigating the regulatory framework of the industry or company, thereby, exposing the sovereign cloud to potential regulatory issues.
Further, the nature of the application, the way that users and administrators access and maintain the application and the nature of data stored in the application all impact the type and level of security that is needed to be implemented. For example, if the application records or requires Personally Identifiable Information (PII) then the compliance requirements are substantially higher, and the security needs to be commensurate with these needs. Equally, the risk of compromise increases as the value of the data increases. Simply holding a name is far less valuable than the name and credit card or identity card details.
The highest risk for a large-scale data store, especially one that is subject to sovereign legislation is an Advanced Persistent Threat (APT) actor. These types of groups are well funded, focused, and have access to leading technology that enables them to compromise even the most secure of environments. Sovereign Cloud providers are not immune to these threats and a combined detection and response capability is needed to minimize the impact of a successful attack.
Typically, it is a compromised credential, a user downloading an attachment from an attacker, or a compromised endpoint that allows initial access into the environment. Then a series of “living off the land” approaches such as using connected networks, un-patched services, or other known vulnerabilities, that allow the attacker to move through the environment and cause either damage or exfiltrate the valuable data stored therein.
TWA: How are privacy laws and regulations impacting the way companies handle data in certain regions?
With data regulations such as Singapore’s Personal Data Protection Act (PDPA), organizations are forced to enhance their security posture, provide users with more control and transparency, as well as ensure proper adherence and compliance with the regulations. Laws such as this (and others in other countries), make it challenging for organizations to navigate as laws differ between jurisdictions or the rules may limit the movement of data between countries for processing or the delivery of a service.
According to the PDPA, there must be reasonable security arrangements made to ensure the proper protection of personal data to prevent unauthorized access, collection, use, disclosure, or similar risks. Proper consent and notification also must be provided, and withdrawal of consent must be allowed for any collection, usage, or disclosure of data. In light of these types of restrictions, many organizations are moving to Sovereign Clouds to ensure that the data in their applications remain in the country of origin and remain subject to the local country legislation. This type of guarantee may not be available if the company is using a hyperscaler or is not diligent in ensuring that its cloud applications are held in each jurisdiction.
Given the global nature of many companies, the practice of “off-shoring” or “near-shoring” to take advantage of labor costs and other benefits, will become restricted as access to certain data is limited to remain in the country of origin. For instance, a credit card company that may have previously used a 3rd party to process its applications may now be forced to use organizations in the same country so as not to fall foul of the privacy laws in the original country.
TWA: What are some of the ways that cybersecurity vulnerabilities can be addressed and how can companies safeguard their data?
Choosing the right sovereign cloud provider can help organizations better protect themselves against cybersecurity vulnerabilities in sovereign clouds. This would entail the sovereign cloud provider ensuring proper implementation and adherence to local data privacy and sovereignty laws as well as any other regulatory frameworks required in the industry.
By combining the security features of sovereign clouds with a Zero Trust framework, strict password, administration and data processing controls, organizations can establish a more secure and resilient infrastructure. Restricting the communication between various workloads, unless explicitly allowed by firewall rules, utilizing micro-segmentation and monitoring data movement between applications or datasets all reduce the risk of an attacker moving laterally through the cloud platform.
Additionally, a sovereign cloud provider that ensures proper and regular compliance and auditing to identify and address any potential security vulnerabilities or weaknesses in the system will enhance the sovereign cloud’s security posture. This will help organizations to keep up with the more sophisticated and complex cyberattacks.
TWA: What role do existing security measures play in enhancing the security in a sovereign cloud environment?
The customer whose data is being retained in the Sovereign Cloud environment has an equal, or perhaps greater, responsibility for ensuring that those devices and users who have access to the data being held in these environments are secured, acting appropriately, and are not adding to the vulnerabilities that already exist in the environment. Firstly, implementing strong authentication measures, such as multi-factor authentication, and role-based access controls helps restrict access based on users’ roles and responsibilities, reducing the risk of unauthorized access and data breaches. Encryption is another important security measure whereby strong encryption algorithms should be employed to encrypt data stored within the sovereign cloud infrastructure and during its transmission over networks.
Another critical component of security in a sovereign cloud environment is continuous monitoring and threat-hunting capabilities which help organizations detect and respond to security incidents and anomalies promptly. Lastly, establishing incident response plans and procedures is essential to effectively handling security breaches or data breaches within the sovereign cloud environment.
However, with that said, organizations may wish to deploy more sophisticated measures as such extended detection and response (XDR) approach which can perform automated analysis and correlation of activity data, allowing security teams to contain threats more effectively. XDR extends the traditional EDR solutions to include network detections, lateral movement, anomalous connections, beacons, exfiltration, and detection of malicious artifacts.
TWA: What are some potential challenges or considerations that need to be addressed when implementing sovereign clouds on a larger scale?
Not all applications need a sovereign cloud. In fact, the first step in the decision process is to classify which of your data or applications is considered by the legislation. If your data does not need to be secured under local privacy laws, for example, then a Sovereign Cloud is likely not for you. Once you know which of your applications or data sets are under the legislation, then your decision on Sovereign Cloud provider becomes which partner is right for you. Do they run the types of infrastructure that your applications are written for? Do they provide the types of services your company needs? Can they integrate with your existing Security Operations Centre and can they provide or receive telemetry from the tools you already have in place?
Then, in the event of an attack, how quickly can they respond? How do they respond? Do they simply notify you of a potential threat, or do they conduct their own threat-hunting and incident-response activities?
If you are the Sovereign Cloud provider, then the reverse of these questions is pertinent – i.e. What type(s) of infrastructure are we willing to support? Which operating systems? Which database(s)? What level of security are we willing to provide? How much of that is going to be the responsibility of the customer and how much will we take on? Who is accountable in the event of a cyber-attack or a breach?
These questions are both ones of strategy but also ones of risk. A clear understanding of “what is the impact if this data is exposed?” and “who is accountable for responding?” is required on both the part of the provider and the customer before entering into a Sovereign Cloud agreement.
TWA: Are there complexities businesses face when moving data between public and sovereign cloud environments?
Moving to a sovereign cloud environment can be challenging, especially without the support of trusted partners/vendors. There are many intricate aspects to consider, such as data protection, compliance with regulations, and the need to manage controls across multiple cloud platforms. Businesses should collaborate with strategic partners who possess extensive expertise and resources in deploying sovereign clouds. Moreover, a multi-cloud architecture will help organizations to customize their infrastructure according to their unique requirements, give greater flexibility, and help them swiftly adapt to changes related to data privacy, security, as well as geopolitical factors.
TWA: Will sovereign clouds eventually become the best way in ensuring data does not compromise privacy?
Sovereign clouds are well-established and mature solutions within the growing landscape of multi-cloud environments. They encompass all the fundamental advantages of cloud computing, such as agility, security, and automation. So ultimately, incorporating sovereign cloud into a multi-cloud strategy is crucial. However, with the data privacy landscape constantly evolving, organizations need to implement a comprehensive data privacy strategy that involves robust security measures and stays up to date with evolving privacy regulations. It is not sufficient for an organization to say, “we are in a Sovereign Cloud, so we are protected”. Each party needs a comprehensive and well-tested data security plan combined with a proven approach to responding when (not if) the worst scenario happens.
A Sovereign Cloud will definitely help an organization meet the legislative requirements but is not the only action needed as, ultimately, the organization that collected the information and processed it, is the organization that is accountable under the law and that is a risk for every company executive or Board to consider carefully before committing to any single strategy.
READ MORE
- 3 Steps to Successfully Automate Copilot for Microsoft 365 Implementation
- Trustworthy AI – the Promise of Enterprise-Friendly Generative Machine Learning with Dell and NVIDIA
- Strategies for Democratizing GenAI
- The criticality of endpoint management in cybersecurity and operations
- Ethical AI: The renewed importance of safeguarding data and customer privacy in Generative AI applications