Sovereignty: What does it mean? Is it important? And specifically, in the context of data management and movement, what should we be concerned about? 

When AUCloud hosted some 140 guests last month from government, industry and academia to a panel discussion of experts representing these sectors to tease out the issue of sovereignty, what it means to them and why it is important,  these questions provided the basis for a broad ranging discussion.

From policy perspectives to research through to business and commercial imperatives, panellists shared a common sentiment: protecting the data of Australian citizens is THE priority.  But what does this mean in the context of a discussion on sovereignty? What are the implications for cloud and digital services? If it is important, what needs to be ‘sovereign’ and how is that achieved?  And how do you balance a preference for sovereignty with broader trade and global expectations?

At the risk of over simplifying what was a detailed analysis, six key themes emerged.

1. The first priority… is to protect the citizen

While the Hon Peter Dutton set the scene with forthright views regarding cyber security, data and the protection of Australian citizens, a view that people and information about them, is at the centre of the debate about sovereignty was the clear.

Cyber security and/or data protection is not an abstract concept. The consequences of data, security or privacy compromise are real, with potential for both tangible and material impacts on citizens (generally) and individuals specifically.

Talking to their cyber security and data management concerns, the impact ultimately on citizens, was unanimously the driver for the increasing shift towards more local as opposed global approaches to data management and protection.

Considering the broader global trend towards data privacy and residency regulations (GDPR in Europe and similar laws in the US and elsewhere), the increased focus on a national responsibility to protect citizen data is no surprise.

2. The core is data   

Digitalisation and increased connectedness through technology has fundamentally changed how information and data is captured, stored and managed. The premise of cloud and cloud based operating and service models is that data can be transported/accessed effortlessly and literally from anywhere in the world. Further, it can be disaggregated with different components of data stored in different locations, moved to different locations at different times and even used for different purposes.  This includes classified and sensitive data as well as non-classified data that sits in or operates from the cloud.

Risks to data, specifically the confidentiality, availability and integrity of data relative to where it is housed, where it is routed, how it can be exploited or scraped, or potentially subject to overseas legislation defines, by default, the scope of the sovereignty discussion. It’s all about the data: where it is located, who ultimately has control of it and the laws it is subject to.

In the modern IT environment and with the emergence of cloud based data storage and service delivery models, sovereignty is all about the data: where it is located, the laws it is subject to and ultimately who has the ability to control access to it.

3. Sovereignty is key. Supply chain is the problem

The ability to protect data breaks down as it is moved, managed, stored, analysed and used across the digital supply chain.   The shift to cloud based services opens up enormous flexibility, agility and efficiencies in the management of data and delivery of services. However, expectations about the management of data (particularly sensitive and classified information) across the public sector and regulated industries necessarily raises questions about the integrity of the underlying cloud supply chain and specifically the security of the (sovereign) data as it moves through and is handed off within that process.

While the Government’s former Certified Cloud Services List (CCSL) sought to mitigate a range of  perceived risks associated with cloud services, the much more recent  Certified Hosting Strategy and Cloud Assessment and Authorisation Framework (CAAF) are both explicitly aware of digital, global supply chains and seek to mitigate their inherent risks.  The inclusion of location and ownership criteria for example, responds directly to potential vulnerabilities in the supply chain where sovereign control is not guaranteed.

Not all agree these are perfect frameworks or as yet, even administered consistently, but both provide clear guidance of risk considerations related to the data management and cloud service supply chains and aim to ensure government customers are appropriately informed and hence able to make more informed, risk-based decisions.

4. Assume your data will be compromised

Operating on the assumption that your data will be compromised focuses attention – particularly where sensitive data is at stake.

All data is not the same: understanding the nature of data workloads and data flows is critical to making informed decisions about how data is stored, moved and managed.  As the CAAF makes clear, this includes general customer data as well as data flows related to metadata, support, monitoring and analytics data which, if compromised, risks the confidentiality, integrity and availability of the core data set.

Global operating models, by default, leverage their global infrastructure, systems, business assets, skills and people networks. They seek commonality of platforms and leverage scale to drive service consistency and efficiency.    In the world of cloud services this can translate to, for example, data loads shifted to different locations, including outside Australia and support solutions offered offshore.

Understanding these data flows in combination with the nature and purpose of the data, is essential to making the right risk-based decisions about how and where data is stored and managed. Where the security, confidentiality, availability and integrity of sovereign data must be assured, the ability to provide this capability onshore is also a priority.  This, however, must be accompanied with more than assurances that the data ‘resides’ in Australia.

Sovereign control, ie, the ability to control of all aspects of our nation-based risks and outcomes, with no threat of foreign interference is crucial to the protection of our sovereign data.  This comes down to both the guarantee that the data will reside and be kept in Australia (ie the domestic capability to provide such cloud services) and also, and importantly, assurance of sovereign control of the assets, people and IP to mitigate against extra judicial intervention.

5. Data sovereignty is not protectionism

Building capability to ensure sovereign data protection should not be confused with putting up trade barriers or taking a protectionist approach in relation to Australian industries.  Nor is it about locking out global cloud providers or simply anointing as ‘sovereign’ cloud providers who are ‘Australian’.

Enacting sovereign protection of Australian data through data residency and jurisdictional control, sets the first pass guard rails for informed decisions, risk mitigation and management as it relates specifically to ‘the data’.   While a broader range of commercial, service and quality considerations obviously also come into play, the global rise of data privacy and residency regulations and expectations regarding the protection of sovereign data, are gaining momentum.

6. It’s complex … but …

While on the one hand untangling what sovereignty is and what it means is complex, on the other it is simply all about the data – where it is, who has control over it and who can legally access it.  Arguably in some cases it doesn’t matter.  But in the case of private citizen and sensitive data, it all comes back to the implications and consequences when it is compromised.  As custodians of citizen data, it is incumbent on governments and regulated industries to understand and mitigate the risk environment associated with the management of their data, with the single aim of protecting the data of the citizens they service.

If data is the currency of the modern age, in the current geopolitical environment and in a world where jurisdictional control and authority over data is increasingly important to national security, citizens rightfully demand to have confidence their data is appropriately protected.

AUCloud: Keeping the data of Australians in Australia