Five ways CISOs can solve the Data Sovereignty Dilemma
Privacy regulations (like the EU/U.S. Privacy Shield agreement) are continuously evolving. Major cloud providers, mostly based in the U.S., are quickly scaling up. A global pandemic has ushered in an era of remote-first work. Cyber crime is surging globally, and cyber attacks are more sophisticated than ever.
In the current cyber threat landscape, it’s no wonder security leaders are considering whether they should lock things down and err on the side of caution in the name of data sovereignty. But this can result in hurdles to collaboration and innovation: People still need to get their jobs done, and with many teams distributed around the globe, employees need avenues for sharing information in a way that won’t slow them down.
Security leaders seemingly have a choice to make: Encourage collaboration at the expense of security, or strengthen security at the expense of collaboration.
But, what if you could have both? What if you could both ensure your data remains secure — truly secure, sovereign, and always under your control — and shareable at the same time?
End-to-End Encryption: Share Data While Shielding It from Third Parties
End-to-end encryption makes it possible for organisations to use the cloud providers and applications of their choice while ensuring their data remains secure. In 2020, the European Data Protection Board (EDPB) identified end-to-end encryption as an effective means of securing data while leveraging a third-party service provider — even if they’re based outside your organisation’s home country.
Organisations can start leveraging end-to-end encryption, right now, to achieve the balance between data sovereignty and shareability. Even as regulations change, this method of encryption gives the data owner full control, and the ability to shield their information from third parties — even their cloud provider. But, there are five key things to consider as part of your encryption and data protection strategy.
- Ease of use is critical. The truth is that, if end-to-end encryption is too difficult to use, your employees will not use it. Many encryption tools still rely on clunky legacy portals and require the recipient of an encrypted file or message to create a new set of credentials (yet another username and password) to access an encrypted message. If encrypted information is difficult to access, your employees will likely find less-secure workarounds for sharing information. This can create risks for your organisation and its data, so prioritise ease of use when selecting an encryption provider.
- Sensitive data is everywhere. The scope and scale of sensitive data within an organisation is broader than you might expect. Sales and marketing teams are entrusted with customers’ contact information. Finance and legal teams are responsible for managing private contract details, performance metrics, and invoices. The executive team and board of directors communicate regularly about strategic initiatives that must remain confidential. When you’re choosing encryption for your organisation, examine whether that solution can meet your needs across users, applications, and platforms: Can end-to-end encryption be applied to email as well as your Customer Relationship Management (CRM) system? Does it work across operating systems and providers such as Google and Microsoft? Does it support large files? How seamlessly does it fit into users’ everyday workflows?
- Manage your own encryption keys whenever possible. For maximum security of your data, manage your own encryption keys. This way, only you can determine who is able to access the unencrypted data. This also frees you up to use the cloud provider of your choice, knowing that you are able to shield your private information, revoke access when necessary, and maintain full control of that data at all times, across the entire lifecycle of each piece of data.
- Zero Trust should start with the data. Zero Trust security is gaining momentum, and for good reason: It’s a framework that does not grant unearned trust to anyone — whether they’re already inside your network or on the outside requesting access. It’s a smart way to approach security, and it encompasses a wide surface area, from identities and people, to endpoints and devices, to apps and services, to network transport, to the data itself. While all these facets of Zero Trust are important, data is the most granular — and arguably the most essential — of these Zero Trust areas of focus. After all, data is the ultimate asset you’re trying to protect. When you protect the data itself, everywhere it moves, you’re strengthening your Zero Trust strategy from the inside out — and enabling collaboration and shareability in the process. Start with the data, and build out your Zero Trust strategy and tech stack from there.
- Leverage Open Standards for Global Workflows. As mentioned above, continuously evolving privacy regulations introduce an element of uncertainty. A CISO in any given country may not know how their privacy regulations will evolve over the course of a year, five years, or 10 years. But they’re still responsible for building a sustainable strategy. Therefore, open standards for data protection will be increasingly valuable for security leaders in this evolving environment, as nations will need a way to collaborate securely, and in a way that is both accessible and widely available. Open standards, such as the Trusted Data Format, provide a flexible way to secure data as it moves between parties, and even between countries.
Whether you’re entrusted with customer data, private health information, strategic corporate information, or any other data that needs to be protected, CIOs and CISOs should focus on creating sustainable and flexible frameworks to secure that valuable information, anywhere and everywhere it moves.
Because data is meant to be shared. But, at the same time, it also needs to be treated with the utmost respect. End-to-end encryption, with the right partner, can help you achieve both, without making any unnecessary sacrifices.