Clouds without borders: Why now is the time to rethink your digital sovereignty

This blog was written by Dan Hilton, Chief Technology Officer, Nine23

A couple of years ago, whilst going through some turbulent times, some friends and I used to remark to each other that we hoped to live in boring times, an appropriation of the saying “May you live in interesting times.”, a double edged blessing. When we look across the geopolitical technical landscape of today, in the UK context, we are faced with that very clear and present position: we are living in interesting and unpredictable times where the technical and security assumptions of the last 15 years of digital service delivery planning are no longer valid, needing to be accurately and carefully reviewed in light of our landscape as a nation.

The benefits of public cloud for enabling more agility, more cost transparency (not always better value), ability to outsource infrastructure, platform and in many cases software; purchasing as a service, are well established when implemented correctly as part of a wider digital transformation. The fundamental assumption has always been that the isolation between customers and the oversight from legal frameworks has been good enough for public and private sector customers to accept a very low risk of a breach of confidentiality, integrity or availability.

What we are seeing now is a reappraisal of that threat model to understand what would happen to a digital service if a foreign owned entity was compelled by a legal framework to degrade, deny or disrupt the service provided. What would be your response if your productivity cloud services or hosting for your line of business application was disrupted? What is your business continuity plan for the risk? A standing risk that could be added to your risk register could be: “There is a risk that your core services may be disrupted, denied or degraded under certain scenarios.”, what would be your risk treatment? How would you re-establish core digital functions?

A useful exercise we have found is to undertake a tabletop wargaming exercise, looking at a number of potential scenarios and how they would affect an IT architecture, such as degraded international internet links (how long would a global SaaS identity provider work if international links became high latency and congested? What would be the knock on impact on your end user compute estate?) working through the impact trees of those scenarios on a customers digital services.

What we’ve seen is a willingness of teams both security and operations to explore the problem space, thinking through how supply chains would respond both in short time spaces (think outages and hours) through to longer, slower events (physical infrastructure failures, flooding, etc). For some the risk is too great and a UK hosted and operated solution is the treatment that mitigates the potential threats.

At Nine23 we have done a lot of thinking and work with our high assurance customers, looking at both the likelihood, impact and treatment of such risks. This has lead us to offer a range of sovereign solutions, both bespoke and standard to help organisations have the right risk mitigations, enabling the benefits of cloud whilst still retaining operational and data sovereignty; enabling senior risk owners to proactively manage their risks whether they’re in the Defence Industrial Base, central government, law enforcement supplychain or highly regulated industries.

Whilst we hope for boring times; we must plan for more interesting occasions so that our digital infrastructure is robust against evolving and ever changing threat landscape.