Repatriation is the process of returning an asset, an item of symbolic value, or a person — voluntarily or forcibly — to its owner or their place of origin or citizenship.1

When meeting with executives who are leading organizations through digital transformation, I find many have jumped feet first into cloud-delivered digital services and systems without much consideration for the safety of their business.

Brian Grant, CPL ANZ’s Regional Director, Thales

This “cloud first” approach is not a bad thing and leaders sometimes need to make bold decisions and aggressive changes to move a business, and its people, out of complacency and comfort zones.

It is only through action and failure that we learn lessons that we can then apply to make our organization and us better. In the case of quickly moving to cloud-based infrastructure and delivered digital platforms, this is certainly true.

One thing we are all learning as our experience with cloud and hyperscale services matures is that shared responsibility2 is real. Moreover, for data dependent organizations, the fact is we cannot outsource responsibility for the confidentiality, integrity and availability of our critical data to a third-party cloud provider.

The challenge is once we have made the jump into cloud, how do we land safely and re-establish our digital sovereignty?

Get the cloud data security basics right

As everyone who works with sensitive or critical data knows, this data cannot sit in cloud environments in the clear and unsecured. Over the years, some of the most serious data breaches and professional embarrassments have arisen from poorly implemented cloud data security.

Consequently, cloud service providers (CSPs) have taken action to encourage the application of better data security practices. Typically, these have involved:

    • Stricter user and administrator access controls,
    • Improved configuration documentation and best practices,
    • Better security monitoring and alerting, and
    • Prescribed use of cloud centric data encryption and key management.

This is great and redresses some of the risks with holding sensitive data in cloud environments. Yet it does not address the emerging demand of customers and governments for organizations to retain digital sovereignty over critical data and digital assets.

The reason why this will be inadequate for governance and risk management purposes is because (of the truth) that they who hold the data and the key, ultimately have access to the data itself. To operate safely in the cloud, retaining control over who, what, when and where data is visible will become an executive or regulatory mandate, so be prepared.

Cloud data digital sovereignty – the first step: key repatriation

So how does an organization that has launched into cloud start the digital sovereignty recovery journey when it comes to cloud data? This can be achieved by taking back direct control over:

    1. The data itself,
    2. The data access and encryption policies, or
    3. The keys enabling data encryption.
If we take back the data itself, we defeat the purpose of moving to the cloud in the first place. We lose the flexibility and agility to build digital services at speed. We increase the capital demands on the organization through increasing expenditure on computer hardware and software. We discourage risk taking for our business leaders and innovators. Therefore, this is often not an option.

Taking back direct control over the data access and encryption policies would be great, however it is not an easy step to make when you have already invested in cloud. It is not impossible – and is a goal we should strive to attain as we work to achieve a high maturity in digital sovereignty.

So given the first two options may be initially or overall a bridge too far, the third option is to take back direct control over the keys that secure our cloud data.

The good news is this process is simple to achieve with the right approach. It involves using a cloud key management solution to synchronize cloud keys with an external key “security” and management platform (note the emphasis on security).

This cloud key repatriation, while not giving you direct control over how current in use cloud keys were created and deployed, gives you visibility into all cloud keys your organization has and where they are held and used.

Cloud key repatriation is the foundation for an organizations cloud digital sovereignty recovery journey. With the next step being to re-establish direct control over the secure creation, deployment and repudiation of cloud keys – which I will be sharing in a follow up blog post in the coming weeks.