In this podcast, we ask Patrick Smith, EMEA chief technology officer at Pure Storage, about the increased drive towards ensuring data sovereignty.
Smith talks about drivers that include geopolitical trade and political uncertainty, new levels of sensitivity over data, and increased regulation and compliance requirements.
He also talks about the risks of not addressing the needs of data sovereignty, as well as the ways in which it is being addressed, such as customers focusing on holding data on-premise, careful construction of hybrid cloud setups and ensuring readiness for new regulations.
What is data sovereignty, and why is it a thing we’re paying attention to right now?
I think for a long time we thought of data sovereignty as the location where data sits. And that certainly is one aspect. But really, it’s the laws and governance structures around the country in which data is collected, processed and stored.
It’s also about who has the authority to dictate how data is managed, accessed and used. Those two dimensions define what makes up data sovereignty and how people think about it.
And why is it a thing that we’re paying attention to right now?
We’re seeing three factors coming together to increase the focus on data sovereignty.
The first of those factors is data sensitivity. As citizens, we’re becoming increasingly aware of the sensitivity of data around us, corporate data. A lot of this focus is the result of ransomware attacks and data leakage.
But we’re also seeing data sensitivity being highlighted in terms of copyright and intellectual property. And that’s being driven by the rise of AI [artificial intelligence]. So, as a society, data sensitivity is increasingly top of mind.
Therefore, corporations are having to really focus on protecting data and making sure data is managed correctly.
The second aspect is the rise of the public cloud.
Two decades ago, the public cloud was a novel way to host sandbox environments for IT. Now, 20 years later, it’s pretty much the de facto way to run technology services. And most organisations, certainly in the West, are almost entirely dependent on the three main US cloud providers.
That then plays interestingly into, in the cloud world, do you know where your data sits? Do you know who’s got access to it? It opens up a bit of a Pandora’s box on data sensitivity and data sovereignty.
And then the third aspect that is a catalyst for this heightened awareness on data sovereignty is the geopolitical climate we’re operating in.
We’ve seen commercial challenges at a national and international level in terms of tariffs. We are seeing increasing instability. We’ve seen supply chain constraints – politically instigated and commercially instigated – that are all playing to a sense of uncertainty.
And we’re seeing an increasingly competitive global landscape between the US, the European Union, and primarily China and Asia. All of those things are heightening awareness around data sovereignty.
What are the risks of not addressing data sovereignty? And are there any benefits for those that do address it? And I’m talking really here about customer organisations, as well as more widely the background political landscape, etc, states
If we look at what’s top of mind with organisations in terms of the risks, the first one is the potential for service disruption.
So, by having my data and business services hosted outside of my country, there is the potential for service disruption. And now that’s not disruption through equipment failure, but potentially disruption as part of a commercial negotiation, as part of a tariff dispute. That has certainly risen in the minds of organisations.
And that plays into the second aspect, which is the risk of foreign influence in terms of legitimate access to data, illegitimate access to data, legitimate access through legal frameworks, through court orders, illegitimate access through unauthorised or unlawful intrusion by external actors, both of which are enabled by the interconnected nature of technology services across borders. By adopting a sovereign approach, you can start to mitigate those risks.
The other aspect is an interesting one, if you overlay those concepts with the changing regulatory landscape. So, we’re familiar, and have been for quite some time, with GDPR in Europe. We’ve also seen DORA in Europe for financial services. We’ve seen increasing regulation of critical national infrastructure.
And they all put an interesting dynamic on service disruption and foreign influence, where suddenly you’re not in control of meeting your regulatory requirements because you’re dependent on a third party.
And the last thing on regulation is there’s so much discussion, especially within the European Union, around regulation and data sovereignty that I expect there will be more regulation in this space as we roll forward over the next 12, 18 months.
How do you expect customers and the industry to respond?
What we expect organisations to do is really understand their environment – what are their true business-critical services? – and start with a risk assessment.
In a very similar way to when we saw financial services organisations with DORA looking at doing an overall risk assessment of critical business services.
[Here, they need to] understand:- Which are my critical business services?
- What’s the data that supports them?
- What’s the underlying infrastructure that supports that?
- Where does it sit?
- How does that align with my risk tolerance and risk posture?
- What do I need to do in terms of my IT architecture to be able to mitigate that risk where the risk is heightened?
- Does that mean I need to adopt a hybrid multicloud environment to include sovereign service providers, be that sovereign cloud providers or simply an on-premise datacentre?
And then, the last thing that we absolutely think that organisations need to do is prepare for regulatory evolution. Because it’s not a case of “if”, it’s a case of “when”, in terms of that regulation coming for data sovereignty.
So, those are the four critical steps that we think organisations should take.
