The complexity of today’s cybersecurity landscape cannot be overstated, with risk levels and potential impact to victims constantly rising as criminals step up the sophistication of their attacks. Meanwhile, businesses invest in cybersecurity and governments introduce new legislation to keep criminals at bay. And, at the centre of this intricate, risk-filled puzzle, is one of the most valuable resources in the modern world: data.
Data has become one of the most valuable assets to businesses, economies, and societies around the world. It enables us to analyse patterns to predict future events, understand consumer behaviour to better sell products, or in the case of cybercriminals, steal personally identifiable information (PII). The potential uses for PII are endless, which explains why the world’s five most valuable brands (Apple, Google, Microsoft, Amazon, and Facebook) have data at their core.
The modern threat landscape
Over the past 12 months, cybersecurity and ransomware attacks make front page news across the globe. From the Colonial Pipeline attack in the US to the Nine Network breach in Australia, criminals have been brazen in their targeting of large corporations and governmental organisations, revealing vulnerabilities in the way data is secured across public and private sectors.
In response to the growing volume and complexity of attacks, and the increased cost of reparations, numerous legislative changes have been introduced by governments. These changes impose new requirements on how organisations manage their threat assessment, reporting and defensive capabilities, with the aim of ensuring data is stored securely.
One of the most important topics of discussion throughout has been where data is physically stored, often referred to as data sovereignty. Date sovereignty relates to jurisdictional boundaries and the ability of a regulator to impose conditions on the management and access rights to data based on the laws of the land.
Data sovereignty and the argument for onshore storage
With the emergence of cloud and software-as-as-service providers, along with today’s global and digital market, national borders don’t always exist. As a result, regional legislation is often adopted as an industry standard framework. For example, the General Data Protection Regulation (GDPR), which came into force across the European Union in 2018, has largely been adopted across the globe as standard practice.
However, while the GDPR is generally followed in most markets, every region still has its own data sovereignty laws and regulations. In Australia, the Digital Transformation Agency’s (DTA) Hosting Certification Framework governs public sector data, requiring all government data to be stored onshore in data centres with certified strategic or assured accreditation.
Meanwhile, non-government organisations follow the Australian Privacy Act, and while the provisions set out by this act do allow offshore storage in some situations, personal data linked to individuals generally needs to be de-identified and/or aggregated to remain compliant.
But with the Privacy Act currently undergoing reform, added data sovereignty laws are likely to come into play to provide citizens with further protection and to ensure Australian data is secure and compliant, across both the public and private sectors. As these worlds start to collide and legislation changes, organisations should look to adopt best practice regarding their storage of data.
Data sovereignty and security in practice
When data is stored onshore, Australian citizens and businesses have the right to influence how this data can be interacted with and have input on what the government can do with it.
When that same data is stored offshore, Australia business and citizens are powerless to object or protest any changes in data laws and regulations, and unable to stop local powers seizing data or building backdoor access for state interests.
Locally stored data is better protected from unauthorised access by foreign state actors and offshore threat vectors, providing increased security and more responsible use of Australian data.
As a result, many IT businesses and managed service providers have committed to building onshore data centres, either as physical centres or as points-of-presence to store citizens’ data onshore safely and securely, where it is protected by local data protection laws.
There is no upside to sending data offshore for storage, all this does is expose sensitive information to additional risk. As the global threat landscape evolves and the puzzle of data security becomes increasingly complex, data sovereignty and responsible storage of data is one key area in which organisations can improve their overall cybersecurity and ensure sensitive information is protected from threat actors.