Quantum Computing Security Could Solve The Data Sovereignty Challenge

Uploaded on 2024-08-20 in TECHNOLOGY-Key Areas-Quantum Computing, FREE TO VIEW

Following news that Microsoft is unable to guarantee the sovereignty of UK policing data stored on Azure, some commentators have suggested that a quick move away from Microsoft cloud is probably the only option for UK organisations keen to ensure they remain on the right side of British law. 

The issue came to light following a FOI request that highlighted how Microsoft could not guarantee that sensitive law-enforcement data, hosted on its public cloud infrastructure, would remain in the UK - a key legal requirement for many organisations. 

The disclosure also revealed how data hosted in Microsoft’s public cloud infrastructure is regularly transferred and processed overseas; a process inherent to its public cloud architecture and therefore causing problems for businesses that have regulatory limitations around the offshoring of UK data.

So, what can organisations do to ensure their data processing remains on the right side of the law when it comes to managing data sovereignty?

The Data Infrastructure Challenge

One option is for organisations to move away from Microsoft cloud-based products. Such an approach would undoubtedly open a Pandora’s box of risks though, which may pose more of a threat to data integrity than the good intentions behind the move. 

The first challenge lies in the scale of any transformation process. For many organisations, the volume and tailored nature of existing data infrastructures make transfers to new systems inherently risky. Not only do they require a significant investment of time, but reconfiguring aspects of the architecture - taking items out, adding them back in and designing systems to allow for regular updates - all create opportunities to lose files, corrupt key data, and open up vulnerabilities to bad actors.

There are also direct costs when cloud providers charge to pull back data stored on their infrastructure or transfer this to other providers.  

Where data is critical to business operations, transferring systems away from existing platforms  also creates timing and prioritisation issues. If you want to move away from a particular vendor starting with one department, it is likely to generate a catastrophic set of interoperability problems that create significant risks for the delivery of essential services.

So, if moving away from existing providers is possible but inherently risky, what alternatives are there?

The Quantum-Resistant Solution

To protect against these super computers, new, secure data-storage solutions are being developed.  Some of these disaggregate data and disseminates it across multiple storage end points: The disaggregation is at the bit level (digital ones and zeros), the dissemination is random and none of the many end points has all the binary digits for any data asset. 

Reassembly of the data assets includes full integrity checks but the approach means the data cannot be decrypted as even a quantum computer working at high speed would not be able to recreate the original information with only part of the story to work from.

The implications of such a solution for data sovereignty laws are exciting. 

What Is Data? And What Does That Mean For Data Sovereignty?

Loosely speaking, data sovereignty means that governments have control over data located within their jurisdictions. Information stored in the cloud can be subject to a variety of national laws, depending on where data is stored, processed or transmitted. With huge amounts of data stored outside of national boundaries, it is a critical data- and national-security issue. 

But what if that data was disaggregated and disbursed across multiple geographic jurisdictions? If data is broken up at bit level and randomly distributed to multiple locations across multiple cloud endpoints, not only is that ‘data’ securely stored but it should also meet data sovereignty rules, wherever those end points are in the world. 

Why? Because data can only exist in complete form. 

When you anonymise it and disaggregate it at bit level, it is impossible to retrieve and reconstruct without an ‘algorithm key’. From a security perspective, if elements secured in the cloud were accessed by storage providers, hackers or governments, all that could be retrieved is random fractions of binary digits that are unintelligible on their own. Legally, it would not constitute ‘data’. Therefore, once disaggregated, the concept of jurisdiction is removed.

The Way Forward

Adopting such cloud-protection ‘gateways’ allows organisations to keep existing data storage architecture - such as Microsoft Azure - in place and hone it in their own time.  They can be installed on-premises, protecting data at source and allowing organisations to comply quickly with national regulations on data protection without risking data loss or architecture breakdown.

Once a multi-cloud environment has been created, organisations can rebalance what data is held where across multiple providers. This not only dilutes the risk by spreading storage across multiple endpoints but, the more data is managed in this way, the more obfuscated - and therefore secure - it becomes. 

The approach also reduces continuity risks. The design of the platform means that, in the event of loss of connectivity to the end points’, or data corruption, the algorithm (accessed only by keyholders) can recalculate the missing digits stored in the corrupted endpoint, restoring the original information to data owners quickly and efficiently.

It is a secure and resilient solution that not only reduces security risks but also simplifies the storage regime while meeting data sovereignty requirements.

Moving away from existing architecture may well be a risky hammer to crack a nut when there are simpler, less risky and more cost effective options out there. 

Getting it right is key to building a more secure, reliable data infrastructure for all.

Adrian Fern is Chief Technology Officer at Prizsm Technologies

Image: Vitalii Gulenok

You Might Also Read: 

The Key To Future-Proof Encryption:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« A New Microsoft Vulnerability Warning
North Korean IT Contractor Fraud »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Device Authority

Device Authority

Device Authority specialises in security automation for the Internet of Things (IoT).

KE-CIRT/CC

KE-CIRT/CC

KE-CIRT/CC is the national Computer Incident Response Team for Kenya.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

Crosser

Crosser

The Crosser Platform enables real-time processing of streaming or batch data for Industrial IoT, Data Transformation, Analytics, Automation and Integration.

VIBE Cybersecurity International

VIBE Cybersecurity International

VIBE’s certificate-less authenticated encryption enables scalable, flexible key exchange, and other advanced cryptographic functions using identity-based elliptic curve cryptosystems (ECC).

Green House Data

Green House Data

Green House Data is a managed services provider delivering hybrid solutions to enterprises who need secure IT environments and efficient management of their critical applications and business data.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

Stratia Cyber

Stratia Cyber

Stratia Cyber is an independent, technology agnostic company providing high quality, pragmatic cyber security consultancy and expertise.

LogicGate

LogicGate

The LogicGate Risk Cloud™ is an agile GRC cloud solution that combines powerful functionality with intuitive design to enhance enterprise GRC programs.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Mirai Security

Mirai Security

Mirai Security are a cyber security company that specializes in Governance, Risk Management and Compliance, Cloud Security and Application Security.

Nudge Security

Nudge Security

Nudge Security offer the world's first-ever SaaS security solution to discover shadow IT and curb SaaS sprawl across any device or location and nudges employees towards optimal security behavior.

Keytos

Keytos

Keytos has revolutionized the Identity Management and PKI industry by creating cryptographic tools that allow you to go password-less by making security transparent to the user.

Grypho5

Grypho5

Grypho5 offers managed packages to protect where threat actors strike most. We defend your infrastructure dynamically, leaving you to focus on other priorities.

ThreatView by Turaco Labs

ThreatView by Turaco Labs

ThreatView combines extensive experience in digital forensics with advanced analytics and threat detection capabilities to protect eCommerce websites.

Sandfly Security

Sandfly Security

Sandfly focuses on Linux security that is high performance, high stability, high compatibility, and low risk.