Digital sovereignty and resourcefulness, more important than ever!

Digital sovereignty focuses more on regulations, while digital resourcefulness focuses more on having control over data and information. The concepts overlap to a large extent, personally I think resourcefulness is a slightly more interesting angle.

I usually describe it a bit simplified as having control over your data by ensuring that it can be trusted and that no unauthorized person has access.

I'll try to slice the elephant and give practical examples that will hopefully help you make reasonable risk assessments and make decisions that feel great in the gut.

Extent

I am primarily going to focus on the organization's perspective rather than the state's perspective which will largely influence through requirements and regulations. Personally, I think it goes without saying that Sweden should stand on its own two feet and not have direct dependencies on other countries to provide essential public services.

Risks and corresponding requirements will also differ greatly, depending on the type of data your organization has. From public information where it is "only" important that it is accessible and cannot be manipulated, to very sensitive data where it is also important that only authorized persons have access. Each organization must make its own risk assessment. A challenge we often see is the gap between law and technology where it can be difficult to map reasonable technical protection to a claim.

Trust

A big part of having control over your data is being able to decide which people and organizations you can trust. Having your data on your own servers managed by your own staff compared to using an external cloud platform has completely different risks that need to be considered. Here follows a number of aspects of the ability to handle data.

Robustness

How robust is the infrastructure? Is there redundancy in place that meets the requirements you set for availability? Today, it is usually standard with redundancy on power, storage and network as well as uninterruptible power, but when there are slightly more advanced requirements with multiple availability zones and disaster protection, it quickly becomes expensive and complex to build yourself. Building clusters with persistent data typically requires three Availability Zones with a distributed design to do so reliably.

Is there capacity available that will allow you to cope with load peaks, growth and to replace if nodes or an availability zone were to go down? Are there processes or automation in place that can handle this? Here there is strength in using container clusters such as Kubernetes and serverless platforms that can automatically scale and manage availability.

Are the availability zones at a disaster-safe distance or is it possible to start the services from copies of data in another region? A recovery routine like this needs to be tested and is normally much easier to execute if you work infrastructure as code or in some other declarative way.

Cyber ​​security

Cyber ​​security is an important part of digital sovereignty as it is about having control over your data. Organized cybercrime is increasing like an avalanche and no one can hide anymore. If your organization has an exposed vulnerability or does not actively work with security awareness with your employees, you will be exposed to an attack sooner or later.

To be resilient against cyber attacks, there needs to be a good security culture throughout the organization and that there are effective technical protections in place.

A hyperscaler often has many people who work with security but also has a large organization, platform and a larger number of sub-processors who also have access to data. Relative to the organization's size, a smaller organization can relatively have more people who work with security. What is important to check is which processes and which technical protections are in place. Market-leading security solutions are available for both large and small organizations, but not everyone uses them.

The most common attacks we see today are ransomware and DDoS attacks. With ransomware, data is encrypted or stolen so that an organization then has to pay a ransom for the data to be decrypted or not exposed. If the data is encrypted and you have a good backup that cannot be changed or deleted, you should be able to recover your data and your systems. If data is stolen, it is very difficult to prevent further dissemination. Working risk-driven and having good protection in place is crucial.

• Are you aware that unnecessary services and vulnerabilities are not exposed?
• Do you have the ability to detect deviations such as intrusion attempts or malware?
• Is there traceability that allows events to be investigated?
• Is there protection against attacks, DDoS protection (L3-L7), WAF, WAAP?
• Are backups and logs stored so that these cannot be deleted or changed?
• Are the physical protection and monitoring sufficient?

Data obfuscation

One way to reduce the risk is to make the data less sensitive. In this way, you would also be able to use the services of an organization that you do not have to fully trust. With data obfuscation, you can protect sensitive data by:

• Encryption, however, it is important to understand where encryption takes place and what type of encryption is used. If you do not own and have control over the encryption key, protection will be limited.
• Tokenization, then you exchange sensitive data for a token that you can then replace again when you need it. For example, social security numbers are replaced so that the data is anonymized but still fully usable as you know which token corresponds to which social security number.
• Masking, then you wash the data of sensitive information but have no way to recover it. More limited area of ​​use but can be good for sending data to systems for statistics or similar.

People

One of the biggest risks is us humans. A large percentage of the breaches or data leaks that occur do so because a person is deceived, makes a mistake or acts unfaithfully based on personal gain. The processes and the safety culture that exist in an organization are crucial. Working in a risk-driven and security-conscious manner throughout the organization is a must in order to be resilient against cybercrime.

• Background checks are carried out upon employment and ongoing checks to see deviations.
• Continuous training in security awareness is carried out
• Are there processes for working risk-driven and are these anchored throughout the organization

Regulations

There are many regulations that an organization must comply with, and if you want to use a service from another organization, it makes it easier for that organization to also comply with the same regulations. If not, you must investigate what deviations there are. As an example, there is the CLOUD Act and FISA 702 which applies to US based and owned organizations where the government can order an organization to release data from its customers. This makes digital sovereignty difficult as third parties can gain legal access to data.

From a GDPR perspective, there is an agreement, EU-U.S. Data Privacy Framework between the EU and the US, an agreement that organizations should be able to rely on. However, this agreement has not yet been legally tested and the two previous attempts did not hold. Depending on the data, there are other laws such as NIS 2, Dore, OSL or the säkerhetsskyddslagen that must also be taken into account.

It is up to you to make the risk assessment and what control over the data you have based on how sensitive the data is, what organization it is and what technical protections are in place.

Dependencies

An important part of having control over data is being able to move data if the need arises. With the pandemic, the war in Ukraine and the Trump administration, we have learned that conditions can change quickly. Are there technical dependencies to proprietary systems that make it difficult to move. Are there commercial lock-ins that make it difficult to move A big advantage of open source is that it can prevent technical lock-in. Linux, Kubernetes and other strong open source projects mean that you can choose for yourself whether you want to run a service, on-prem or as a cloud service with several providers. A commercial lock-in can be justified financially, which is ok as long as you also make a risk assessment of possibly having to move.

Elastx

For us at Elastx, digital sovereignty is very important. We think that Sweden should be able to stand on its own two feet and in order for us to be able to do that, we need local cloud platforms. We have built our platform for mission-critical services and sensitive data. What runs mostly on the Elastx Cloud Platform (ECP) are SaaS services with sensitive data.

We have a robust platform where a region has three availability zones and a distributed design. Each zone is a geographically separated data center located up to 20 km from each other to achieve disaster recovery while maintaining performance.

Included in all our services is 24x7 support, Threat Intelligence that blocks known bad sources on the internet, L3/L4 DDoS protection, encrypted traffic between our AZs and encryption at rest of all storage. In addition to this, there is a range of additional safety features as options. We use market-leading technical protection to counter and detect cyber-attacks and we must offer our customers corresponding services.

Elastx is a Swedish organization with Swedish owners and all employees are Swedish citizens. We conduct background checks on all employees and we conduct ongoing security awareness training.

We are ISO 27001, 27017, 27018 and 14001 certified since 2016 and have a risk-driven safety culture throughout the organization.

We counteract lock-in by offering services based on open standards and strong open source projects, and that we normally charge by the hour and have no commercial lock-in.

I hope you think digital sovereignty is as important as we do. Feel free to contact us if you have questions or want to hear how we can help each other.

Have great day, Joakim Öhman, CEO Elastx