Sovereignty – not a word we use every day but one that has significant impact in terms of Cloud security.  Given the recent spate of cyber-attacks on government agencies by foreign actors, there has never been a more important time to address the sovereignty in Cloud security – particularly for government agencies (Defence in particular), and the industry that serves them.

Data sovereignty – is it a thing?

Data sovereignty impacts any business, organisation (government or otherwise) or individual using Cloud storage.[1]

To underpin the importance of data sovereignty, the Digital Transformation Agency (DTA) has set out as part of its own guiding principles that hosting arrangements must be founded on robust, risk-based assessment to ensure data sovereignty and supply chain integrity[2].

The first key to success to ensure data sovereignty is to address sovereign issues within hosting supply chains. This is to mitigate against supply chain and data centre ownership risk through the implementation of a certification framework and effective governance model.  The hosting arrangements need an effective control regime that mitigates the risk, expense and impact of undesirable changes in supply chain and data centre ownership, control and use.

It is on these principles, and our industry expertise that Sliced Tech continues to build its sovereign capability. Agencies and industry must have confidence that hosting arrangements in each part of the ecosystem meet government’s criteria regarding data sovereignty, privacy, supply chain risk and cyber security on an on-going basis.[3]

Part of maintaining that integrity in the system is what the IRAP assessment was designed to do. Just as any business that is a going concern would conduct a financial audit of its accounts to assess performance, the IRAP can be considered as a similar process, the difference being it’s an independent assessment of an organisation’s security protocols around its data sovereignty, security and governance.

Data sovereignty is data, in particular digital data, being subject to the laws of the country in which the data is stored.  Our concern is how and to what level can we protect Australian data if it is stored elsewhere.  Can Australian data be protected at all if it is stored elsewhere? Can the same level of protection afforded to data that is stored here in Australia, be ensured for data stored elsewhere?  Can the privacy of information be ensured if we are unable to respond regarding changes to the regulatory environment of that storage?  Likely not!

Sovereignty is important and will impact the security of your information in ways that we could not possibly have imagined a decade or two ago.

Why should sovereignty matter to you?

It is important to understand that while the internet may be borderless, the data ‘contained’ on the internet is held to and within geographically determined boundaries.  This is where sovereignty becomes important.  The Cloud is effectively a series of servers that are accessed over the Internet.  These servers are in fact, located in a series of data centres (and possibly the occasional garage…) all over, and anywhere in the world.

The problem is that your data may be located anywhere, in any country, in any level of storage, and may be bound by the laws of an unknown foreign nation with values and/or intent that may differ from ours.  While the laws for data storage of that country, may appear attractive and suitable at the time – this may change.  It is unlikely you will be consulted about this change; you may never be aware the change occurred; data you assume is protected by one set of laws, may change to grant access or be shared with a third party, without your consent.

Cloud security is not just about encryption; it is about sovereignty too.

Sovereignty matters to you because you want your data and information security held to a known standard, in a known location, with a known set of rules and regulations; thus, providing you with the best, accessible, secure Cloud service available.

Data sovereignty does not equal Cloud sovereignty.

Despite the progress to build a cyber security framework around how government data is managed by third parties, one crucial regulatory feature common to other markets remains absent: a “reserve” or element of direct government participation in, or ownership of, cloud computing resources for sovereign purposes, such as the reserve bank in financial markets or the universal service obligation legislation found in telecommunications, power, and water.

As is the case for other industries, use of the system by government agencies is very different from the government itself as an actor within the market – whose role is to protect its citizens and national interests.  So, in the same way, Cloud data sovereignty should not be confused with the need for sovereign Cloud capability.

For Sliced Tech, we have set out to ensure both are mutually exclusive. We are a wholly owned Australian entity with 100% of our resources, infrastructure and operations on‑shore.  Therefore our Cloud infrastructure, data storage and the services associated with these are equally important.  The sovereignty of our Cloud service design, deployment and management is a core governing factor regarding the security of Sliced Tech as a Cloud solution provider.  The more organisations rely on Cloud storage, the more they become a target for attacks; subsequently, sovereignty becomes even more important.

Sovereignty matters to us because it allows us to provide you with the best, most secure Cloud storage and/or service available.

It takes a village

Sovereignty, and sovereign storage, is vital for our customers to have prompt, safe access to data that is stored under the same legal/judicial system they operate within.

Cyber resilience begins with people – your people and our people.  Employees and individuals must be educated on cyber threat and the associated risk.   This largely comes to the fore when considering how the ongoing use of phishing attacks and social engineering campaigns will impact.

It takes all of the village to maintain our nation’s and your organisation’s cyber security; our sovereignty supports you as part of that village.

Information security law does exist but it can be complex.  Not having to navigate additional international laws is a bonus here – sovereignty does matter.

And it is at the core of everything we do.

[1] Australian Privacy Principles (APP)

[2] DTA Hosting Strategy

[3] DTA Hosting Strategy