- Digital Sovereignty is about achieving digital autonomy across the entire ecosystem and end-to-end infrastructure.
- Governments and organizations require protection on data transferred outside their national borders and this means that there are more data localization requirements around the world.
- Tech Wire Asia spoke with Brad Arkin, SVP and chief security and trust officer at Cisco, about digital sovereignty and data privacy, as well as the role of security in these areas.
In a post-GDPR world, more governments and organizations outside the European Union have focused more on digital sovereignty, with much more data location requirements implemented especially in recent years. In short, privacy has become the stake for today’s business. Indeed, according to the Cisco 2022 Data Privacy Benchmark Study90% of organizations say their customers wouldn’t buy from them if they didn’t do it properly protect customer data.
Complementing those findings, in a separate annual global review of consumer perceptions and behaviors around data privacy, Cisco found that this year’s survey highlights the critical need for more transparency as consumers say their highest priority is for organizations to be more transparent about how they use their personal data. This year, 81% of respondents on the 2022 Consumer Privacy Survey agreed that the way an organization treats personal data is indicative of how it views and respects its customers.
The number is the highest percentage since Cisco began tracking it in 2019, and it’s more evident that ever-changing technologies simply make it harder for consumers to trust companies with their data. In a recent conversation with Cisco chief security and trust officer Brad Arkin, he shared how data privacy and digital sovereignty are becoming a challenge for companies as they navigate the complex and ever-changing regulatory environment.
The following interview has been edited for length and clarity.
What are some key trends in digital sovereignty and the challenges associated with it?
We seem to be heading towards a more fragmented global technical environment as each country is crafting its own security requirements and compliance requirements. So how do large multinationals deal with those fragmented territories? What has happened in the last few years is that we have seen an increasing number of countries and different industries and sectors stay pushing for specific requirements — that the data must be stored locally and potentially also has constraints on who can manage the services. So it seems like fragmentation is happening and sometimes it’s even different for each vertical. This in turn is creating a lot more jobs for tech companies that want to service customers around the world.
So, how does Cisco overcome the variety of bureaucracy in place, considering your worldwide presence?
So the most important thing we have come up with is called Cloud Control Framework (CCF). For example, when Germany, Spain or Japan come up with different standards, even if they have different names, the truth is that they are all quite similar in what they ask us to do.
The problem is meeting those rapidly changing requirements for security certifications and standards around the world, which is becoming more and more important and also extremely demanding, as well as resource and time consuming for cloud-based software vendors .
This is when the Cisco CCF fits right in. Essentially, the CCF is a comprehensive set of international and domestic security compliance and certification requirements aggregated into a single framework. Enables teams to make sure cloud products and services meet security and privacy requirements with a streamlined, streamlined compliance and risk management strategy while saving significant resources.
For Cisco, the CCF is the foundational methodology to accelerate certification outcomes across all of our cloud offerings and establish a strong security foundation. It is the result of years of standards research to certify SaaS products to multiple standards for repeatable practices and efficiencies. The CCF offers a structured “build-once-use-many” approach to gaining the broadest range of international, national and regional certifications.
Because it’s been really useful for us, we think it might be for other people too, so we’ve taken that Cloud Control Framework and made it an open source resource. Now anyone can download it and use it to inspire themselves to try and figure out what might work for their environment. They might make some changes and then they can use it, and also because it’s open source, our customers can also just download it and study it themselves.
As we’re discussing compliance, Australia has recently undergone a huge privacy overhaul due to the ongoing spate of data breaches. Did that impact Cisco’s operations there in any way?
So the big thing in Australia driving the work we’re doing to achieve compliance is IRAP, the Information Security Registered Assessors Program, governed and administered by the Australian Cyber Security Center (ACSC). It’s basically a growing set of standards, so depending on whether it’s a commercial application or a classified government application, there is a scale of more or less checks.
IRAP is just another example of what we’ve built into our Cloud Control Framework, so each of our engineering teams, when we look at the business opportunity to do business in Australia, look at what the incremental work is to achieve IRAP compliance. Then we see if the business case exists and if it makes sense, after which we bring in the auditors and they verify that we respect the IRAP. After all that, we would have been allowed to sell in that environment.
So that’s the thing that comes to mind when I think of Australia and so far it hasn’t been a big change. You know, it’s really more of an evolution because we understand this compliance movement as we do it with other countries as well. So for us, this is just like another one on the list that we need to make sure we’re getting the details right. This is also when we use things like Cloud Control Framework to make it as efficient as possible.
What about the way data is handled and regulated in APAC?
Many changes to the regulatory environment are being considered in APAC. So I know Vietnam right now is thinking about a lot of changes in how they look at service delivery, but that’s not something that’s gotten into effect yet. My advice to politicians is to really think about what primary outcomes they’re driving for, and then work backwards from that.
Finally, is data sovereignty a barrier to cloud adoption?
I think it’s a growing barrier to adoption due to the costs involved in meeting these growing requirements. We have a spreadsheet that contains all the countries and what we think is the business advantage, and you drive up costs with these incremental data sovereignty requirements, so that changes the analysis on the business case. In many cases this could tip the balance towards the point where it is no longer economical for us to go to a particular region.
So our goal is to serve our customers, we want to solve problems. So we always try to reduce costs wherever possible. So things like Cloud Control Framework are one way to do that. But when you have things like a single data center for each country, things like that are much less efficient than building a regional one that serves multiple countries. And so that’s something that could tip the balance of the business case, where it ends up not being worth it.