John Ray | Director, HSM Product Management
Much has been written about best practices for organizations currently undergoing a digital transformation, but something important is often overlooked that organizations are learning is a critical aspect of their transformation: data sovereignty. As digital technology is integrated into all areas of business, and especially into areas such as migration to the cloud, organizations need to make data sovereignty, and data security, paramount, if they haven’t already.
Data sovereignty is the concept that all data is subject to the laws and governance from the nation where it is collected. There are now over 100 nations with their own unique laws and policies with respect to how organizations residing in its country must manage its data. But what about cloud data? Cloud data is often stored in different places and accessed across multiple borders, forcing companies to pay close attention to how they manage their data in different geographies.
Complying with the many data sovereignty laws in different countries is challenging – with CCPA, PIPEDA, Schrems II, LGPD, and AAPI just to name a few. First, an organization needs to know where its data is being stored, housed, collected, and accessed. The more global the organization, the more complicated this process will be. Then the many different regulations for those geographical areas all need to be understood and adhered to. As well as being complex, the data regulations come with hefty fines if found broken or not in compliance. In Europe, organizations can be fined up to 20 million Euros if they break the General Data Protection Regulation (GDPR). And this is just one of many possible fines.
There are also existing requirements to keep certain types of data within the country of origin, since some nations’ data sovereignty laws put signification limitations on data transmission outside its borders. Other countries have privacy laws that limit the disclosure of personal information to third parties, which often affects cloud providers who offer processing or storage.
There are undoubtedly benefits to using the cloud, such as flexibility, scalability, and cost savings but companies adopting the cloud(s) need to consider the data sovereignty issues, as well as the security issues.
Hardware Security Modules (HSM) are a trusted method of securing data through encryption and key management best practices. This gives organizations complete control over their own encryption keys as well as encryption processes, helping to ensure you can meet data sovereignty anywhere. Cloud Service Providers (CSP) do not have any access to the HSM; only the assigned roles or credentials defines who can access it.
Thales Luna HSMs can securely protect your encryption keys in flexible and scalable architectures. They are deployable in cloud environments, as well as on-premises or in a hybrid solution. The same HSM can be used to protect customer data distributed in multiple private and public clouds. The versatility of Luna HSMs has helped it build a powerful partner ecosystem, supporting well over 400 integrations with key applications, and the major cloud service providers. This breadth of integrations allows our customer to protect their data without engaging into costly and lengthy development efforts. When it comes to data sovereignty, Thales ensures their HSMs comply with most global regulations and standards such as FIPS 140-3 and Common Criteria and stay up-to-date as regulations, risks, and environments evolve.
For example, because of the growing demand for data sovereignty, NAVER Cloud recently partnered with Thales to create Korea’s first sovereign cloud HSM-as-a-Service powered by Luna Network HSMs. This new service helps businesses based in Korea meet the strict regulatory and industry mandates for control of their data and encryption as they transition from on-premises environments to cloud or hybrid, all while maintaining ownership of their encryption keys.
As more and more nations create their own sovereign data regulations and policies while adapting to ongoing digital transformation, data security and ownership of data as well as the keys to that data, including where it resides especially if it is in the cloud, will become more critical than ever before.
Learn more about how Thales can help organizations achieve data, software and operational sovereignty with automated risk assessment and the centralized protection and control of sensitive data across cloud and on-premises systems.