Data sovereignty – the concept of data being subject to the laws of the country it is located in – has long been mired in misconception. Regulatory and legislative uncertainty have fuelled fears around offshore data flows and companies have largely been unsure of the legal recourse if data is stored locally versus cross-border.
Legal recourse is essentially what lies at the heart of data sovereignty. In South Africa, the Protection of Personal Information (POPI) Act provides the guidelines for the use of data. Section 72, in particular, regulates the transfer of personal information and perhaps its most significant clause is the need for the data subject to consent to their data being transferred.
Effectively then, POPI doesn’t restrict cross-border data flows or storage; rather, it serves to protect it and facilitate a more secure transfer across borders – and penalties for non-compliance are strict.
This makes it necessary for organisations to ensure they are meeting all regulatory requirements, which can be an interesting conundrum with the growth of cloud-based data storage that increasingly sees data being stored across borders.
The European Union is typically a recommended location for organisations whose data is stored outside of South Africa because of its General Data Protection Regulation (GDPR), which has proved to be a successful way to govern data protection and privacy and is being used as a benchmark around the rest of the world because of how specifically it deals with personal data.
Companies are, of course, subject to the regulations and laws of whichever country their data is stored in – so in reality, location isn’t the most important factor to consider when it comes to data sovereignty. How the data is stored and the way it is handled are the critical considerations for modern businesses.
It’s not all about location, location, location: looking beyond sovereignty to security
Security is at the centre of data handling and storage and in an age where data breaches are an increasingly common reality, putting the strongest security controls in place is essential. This must apply to data both in transit and at rest.
Data is traditionally more at risk when it’s at rest, particularly if it has been replicated or backed up. But data in transit faces its own risks, which is why data requires protection in both states. Encryption is a popular and effective method of securing data, and there are numerous ways to encrypt an organisation’s digital information.
For data in transit, many companies choose to encrypt it before it moves – or else make use of secure connections such as Hypertext Transfer Protocol Secure (HTTPS), Secure Sockets Layer (SSL), Transport Layer Security (TLS) or File Transfer Protocol extension (FTPs). These are known for providing end-to-end security, and are safe enough to protect data in transit.
Data at rest, on the other hand, needs more robust security to protect it from would-be attackers. The Advanced Encryption Standard of 256 bits (AES256) is currently one of the most advanced encryption protocols and, as such, is able to protect data at rest.
However, as technology and security advances, so do cyber criminals and attackers who find new and sophisticated ways to crack it. This means that organisations need to constantly stay up-to-date with and implement the latest security tools to ensure data protection.
The future of data security
Homomorphic encryption is just such an example of the latest tool. It allows users to make calculations on encrypted data without decrypting it, and by doing so removes the key problem of encryption: at some point, the data needs to be decrypted and as soon as that happens, it is vulnerable. With homomorphic encryption, it stays encrypted and protected even while the data is worked on.
It has far-reaching capabilities and opportunities for businesses to add value. Financial services providers, for example, could use an algorithm to detect the likelihood of defaulting on a payment – without revealing any other sensitive information.
Homomorphic encryption is widely seen as the future of data security, but even so, the rate at which attackers catch up with the newest security solutions means that additional measures should be put in place.
This includes classifying all data according to its importance to the business, and then archiving and encrypting it, as well as assigning permissions on who can access the classified data based on their role in the business.
Introducing honey pots to act as decoys and detect hacking attempts, and data loss prevention (DLP) solutions to monitor and protect data, are also important tools in the fight against data breaches.
Ultimately, today’s businesses should approach data theft as inevitable – and work to make the timeline between breach and detection as short as possible. It is this – and the level of security measures in place to monitor and correct breaches – that will act as the differentiator between businesses who survive cyber attacks and those who don’t.
So as critical as data sovereignty is in terms of knowing the regulations that govern how data is transferred and handled in the country it’s stored in, businesses are essentially going to need to focus on prioritising security both in transit and at rest and ensuring that the time between breach and detection is as quick as possible if they hope to survive the modern digital world.
By Graeme O’Driscoll, Head of R&D – Cyber Security; Basha Pillay, Executive Head of Cloud & Collaboration; Tim Quintal, Senior Product Manager: Cyber resilience at Internet Solutions