Digital sovereignty in a face-paced, complex regulatory environment
  • Digital sovereignty is about achieving digital autonomy across the entire end-to-end ecosystem and infrastructure.
  • Governments and organizations are demanding protections on data transferred outside their national borders, and that means there are more data localization requirements around the world.
  • Tech Wire Asia spoke to Cisco’s SVP and chief security and trust officer Brad Arkin on digital sovereignty and data privacy, as well as the role of security in these areas.

In a post-GDPR world, more governments and organizations outside of the European Union have placed more focus on digital sovereignty — with far more data localization requirements being set in place especially over the last few years. In short, privacy has become table stakes for business today. In fact, according to the Cisco 2022 Data Privacy Benchmark Study, 90% of organizations say their customers would not buy from them if they did not adequately protect customer data

Complementing those findings, in a separate annual global review of consumers’ perceptions and behaviors on data privacy, Cisco found that this year’s survey highlights the critical need for further transparency as consumers say their top priority is for organizations to be more transparent on how they use their personal data. This year, 81% of respondents on the 2022 Consumer Privacy Survey agreed that the way an organization treats personal data is indicative of how it views and respects its customers.

The number is the highest percentage since Cisco began tracking it in 2019 — and it is more apparent that ever-evolving technologies simply makes it more difficult for consumers to trust companies with their data. In a recent conversation with Brad Arkin, the chief security and trust officer at Cisco, he shared how data privacy and digital sovereignty are becoming a challenge for businesses as they navigate the complex and evolving regulatory environment.

The interview below has been edited for length and clarity.

What are some key digital sovereignty trends as well as the challenges associated with it?

It feels like we are heading towards a more fragmenting global technical environment as each country is coming up with their own security requirements and compliance requirements. How do we then have big multinationals confront those fragmented territories? What has been happening over the past few years is we’ve seen an increasing number of countries, and different industries as well as sectors are pushing for specific requirements — that data needs to be stored locally, and also potentially have constraints around who can operate the services. So it feels like that fragmentation is happening and sometimes it’s even different for each industry vertical. That in turn is creating a lot more work for tech companies that want to provide services to customers around the world.

So how does Cisco overcome the variety of bureaucracy in place, considering your presence worldwide?

So the biggest thing that we’ve come up with is called the Cloud Control Framework (CCF). For example, when Germany, Spain or Japan come up with different standards, even though they have different names, the truth is, they’re all pretty similar in what they’re asking us to do. 

The issue is meeting those fast-evolving requirements for security certifications and standards across the globe, which is becoming increasingly important, and also extremely challenging, as well as resource- and time-intensive for cloud-based software providers.

That is when the Cisco CCF fits perfectly. Essentially, the CCF is a comprehensive set of international and national security compliance and certification requirements, aggregated in one framework. It empowers teams to make sure cloud products and services meet security and privacy requirements thanks to a simplified rationalized compliance and risk management strategy, saving significant resources. 

For Cisco, the CCF is the foundational methodology for us to accelerate certification achievements across our cloud offerings and establish a strong security baseline. It is the result of years of standards research to certify SaaS products for multiple standards for repeatable practices and efficiencies. The CCF offers a structured “build-once-use-many” approach for achieving the broadest range of international, national, and regional certifications.

Since it has been really useful for us, we think it might be useful for other people too, so we’ve taken that Cloud Control Framework and made it an open source resource. Now, anybody can download it and use it to inspire them in trying to figure out what might work for their environment. They might make a few tweaks, and then they can use it, and also because it’s open source, even our customers can just download it and study it themselves. 

Since we are discussing compliance, Australia recently had a huge privacy overhaul because of the series of data breaches that was ongoing. Has that in any way impacted Cisco’s operation there?

So the big thing in Australia that drives the work that we’re doing around compliance attainment is IRAP — the Information Security Registered Assessors Program, governed and administered by the Australian Cyber Security Centre (ACSC). It is basically an escalating series of standards, so depending if it is a commercial application, or a classified government application, there’s a ladder of more or less controls.

IRAP is just another example of what we have put into our Cloud Control Framework, and so each of our engineering teams, when we’re looking at the business opportunity to do business in Australia, we look at what the incremental work is to achieve IRAP compliance. We then see if the business case is there, and where it makes sense, after which we bring in the auditors and we get verified that we comply with IRAP. After all of that, we’d be allowed to sell into that environment. 

So that’s the thing that is on top of my mind when I think about Australia and so far it hasn’t been a big change. You know, it’s really more of an evolution because we understand this compliance motion since we do it with other countries as well. So to us, this is just like one more on the list that we need to make sure we get the details right. That is also when we use things like Cloud Control Framework to make it as efficient as possible. 

What about the way data is being approached and regulated in APAC? 

A lot of changes to the regulatory environment are being considered in APAC. So I know Vietnam right now is thinking through a lot of changes in the way that they look at service delivery, but it is not something that has come into force yet. The advice that I give to policymakers iss to really think about what are the primary outcomes that they’re driving for, and then work backwards from that.

Lastly, is data sovereignty is a barrier to cloud adoption?

I think it is a growing barrier to adoption because of the costs required to comply with these increasing requirements. We have got a spreadsheet that has all the countries and what we think the business upside is, and you drive the cost higher with these incremental data sovereignty requirements, then that changes the analysis on the business case. In a lot of cases that may tip the balance to where it’s no longer economical for us to go into a particular region. 

So our goal is we want to serve our customers, we want to solve problems. So we’re always looking to drive the cost down wherever we can. So things like Cloud Control Framework is one way to do that. But when you have things like an individual data center for every country, things like that are much less efficient than doing one regionally that serves multiple countries. And so that’s something which may tip the business case balance, where it ends up not being worthwhile.

 





Leave a Reply

Your email address will not be published. Required fields are marked *