Data Sovereignty & Key Management Best Practices in M365

What is Data Sovereignty?

The volume of data moving to and collaborating in the cloud has spurred government concern and oversight over protecting sensitive personal, business, government and defence data. Data sovereignty is the concept of a country or jurisdiction having the right to govern and control digital data collection, storage, processing, and distribution within its borders. Organisations operating across international borders must comply with the rules of each country/jurisdiction where their data resides. This comes with both concern and many jurisdiction-specific obligations for global entities, especially those storing data in Cloud services such as Microsoft 365 (M365).

Examples of Laws Impacting Data Sovereignty

There are a multitude of data sovereignty laws that can be applicable. For example, some laws dictate that certain types of sensitive data must be stored and processed within the jurisdiction for security, regulatory or privacy purposes. Others have national access laws that enable a country to demand access to data through a third party provider. Here’s a small sampling of the different laws:

• GDPR – Any information collected from EU citizens must reside in servers located in EU jurisdictions or in countries with a similar scope and rigour in their protection laws under GDPR.
• International Traffic in Arms Regulations (ITAR) – Any information or technical data related to items on the United States Munitions List (USML) can only be accessed by US persons unless otherwise authorised by the U.S. Department of State.
• CLOUD Act – The US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act) states that U.S. law enforcement agencies may, under certain circumstances, lawfully demand data stored in foreign countries from entities subject to U.S. jurisdiction. Many are concerned that the CLOUD Act will allow the U.S. government to surveil the data of any non-U.S. citizen or business that uses a cloud services provider with operations in the United States. However, many countries across the EU and China also have national access laws.
• Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018,1 or TOLA Act – This Australian legislation permits law enforcement and intelligence agencies to obtain warrants to request or force telecommunications providers to provide access to data and devices, including encrypted communications.

5 Data Sovereignty Challenges

While data sovereignty can provide benefits for governments and businesses, it also presents several challenges, including:

1. Cross-border data exchange: Data sovereignty laws can limit the ability to exchange information across borders – even within the same company – adding complexity and cost for global companies that must erect information barriers between departments, divisions and/or geographic locations.
2. Data localisation requirements: Requirements for certain types of data to be stored and processed within a country’s jurisdiction can be challenging for global businesses, impacting the cost and complexity of a business’ data management if local data centres and infrastructure must comply.
3. Compliance: Local data protection regulations can vary from country to country, even state to state. This can raise the cost and complexity of managing data access and storage for impacted businesses.
4. Encryption: Data sovereignty regulations may mandate the use of encryption to protect sensitive data.  Most cloud service providers offer data encryption; however, customers cannot control their encryption keys. This poses challenges for companies that want to maintain control of their keys for security.
5. International data sharing agreements: International data sharing agreements can become complicated when participating countries have different data protection and storage requirements. Business operations can be impacted due to data sharing delays or restrictions.

How to Achieve Data Sovereignty in M365

There is a great deal of information to understand and various processes to implement to achieve Data Sovereignty compliance in M365 and other CSP platforms. Here are some tips and tools to help you get started.

Understand Your Cloud Provider’s Policies & Practices

It is your responsibility to fully understand your cloud provider’s data management policies, including where your data is stored, how it’s transferred between servers, and your provider’s data security practices and backup and disaster recovery processes.

Meet Data Localization Requirements

You must also ensure your cloud provider can accommodate any data localisation requirements as outlined above.

Segment Access to Data with Attribute-based Access Control

Consider using attribute-based access control (ABAC) to fortify data access controls in your Cloud-based document management platforms. With an ABAC-enabled solution, data access and security policies can be based on any combination of user (i.e. position, nationality), content (via discovery process rules) and environment (access point to information) attributes (values). This allows organisations to control access to data based on geographical and other unique conditions more easily.

NC Protect from archTIS uses dynamic ABAC policies and data-centric security controls to determine access, usage and sharing permissions at the item level for every file in Microsoft 365 applications, SharePoint Server, Windows File Shares, Nutanix Files and NetApp OnTap.

By taking a data-centric, zero trust security approach, a file’s attributes, such as security classification and country releasability, and user attributes, such as organisation, country/location and nationality, determine who can access, edit, share and download a file – regardless of its folder/location within the document management system. For example, ensure that any data in a SharePoint site that is classified as ITAR can only be accessed by US citizens. This data-centric, individual file security approach eliminates the need for multiple sites to manage geography-restricted collaboration scenarios.

Deploy Fine-Grain Data-centric Security Capabilities

A data-centric security (DCS) approach is designed to secure the data itself – not its container or storage location – when it’s at rest or in motion. DCS provides organisations with more granular protection at the individual file level for more effective data protection and aids in compliance with governance requirements.

NC Protect adds unique data-centric security capabilities to protect sensitive data, including a secure read-only viewer, dynamic user-based security watermarks, CAD file protection, visual markings more effectively for defence-related data, data obfuscation, word and phrase redaction, and more. The capabilities are not available natively in most applications and assist in enforcing governance policies.

Add Dynamic Encryption & Independent Key Management

Encrypting data at rest is the bare minimum to protect sensitive data in a public cloud and is required by many regualtions. To ensure adequate encryption protection and to prevent key and data access by a CSP, many organisations choose to generate their own data encryption keys. It’s also important to note that Gartner recommends that if certain datasets need stronger access controls, you should deploy more granular protection at the individual file level such as the methods outlined above.

The NC Encrypt module provides dynamic encryption and key management to empower organisations to maintain data sovereignty and control over their encryption keys in the Cloud. With NC Encrypt, organisations gain supplementary at rest and in motion encryption and decryption capabilities in Microsoft 365 using their own designated master key. The option exists to generate a default AES-256 encryption key on the fly, enabling a swift start. You also have the flexibility to utilise a Bring Your Own Key (BYOK) approach at any point through a seamless integration with Thales CipherTrust Manager.

With NC Encrypt, sensitive documents are dynamically secured using a system-generated or BYOK encryption key based on the policies you define. For example, build a policy that automatically encrypts any GDPR-controlled personal data in M365 and/or when emailed via Exchange.

Data Sovereignty FAQ’s

1. How can NC Protect help me find and categorise my data?
   NC Protect scans your data repositories to identify and classify data – on-premises, in the cloud and hybrid environments. You can configure rules to identify types of data (e.g., personally identifiable information (PII), healthcare data (PHI), ITAR, CUI, etc.) and automatically apply custom classifications/tags to identified regulated data.
2. What if I am using classification/tagging from another vendor?
   NC Protect’s Bring Your Own Classification model allows customers to use NC Protect’s classification engine or leverage existing classifications as one of the attributes used by the product’s dynamic ABAC policies to control access and apply file-level protection. Integrations with Microsoft Purview Information Protection (MPIP) labels and Janusseal Documents classifications make this a seamless process.
3. How can I manage access to data by geolocation?
   NC Protect’s ABAC policies evaluate and validate each file’s attributes, including geographic location and permissions, as well as user and environmental attributes such as security clearance, time of day, citizenship, country and device to determine who can access, edit, download, and/or share a particular file. Policies are applied every time a file is accessed, applying zero trust at the file level. NC Protect helps control data access, automatically enforces security policies, and demonstrates compliance with government auditors.
4. How can I apply end-to-end encryption when needed?
   NC Protect can dynamically encrypt files at rest or in motion, when required, using secure AES-256 bit encryption that is FIPS 140-2 compatible. It can also encrypt SharePoint list values.
5. How can I manage my own encryption keys? The NC Encrypt module provides encryption capabilities out-of-the-box for organisations using NC Protect that prefer to manage their own encryption keys. Using a central policy manager, it provides critical management of files stored and shared across all of your Microsoft 365 apps, SharePoint on-premises and File Shares. It also supports BYOK with connectors to third-party key management platforms using Thales CipherTrust Manager.
6. How will I know if my sensitive data is accessed?
   NC Protect’s advanced watermarking capability can dynamically apply security watermarks to identify the file handler/viewer as required. Additionally, NC Protect logs all access to documents and actions users have taken with them (print, save, email, etc.) and maintains a complete audit trail to help meet various compliance regulations. Automatically feed user activity logs into Microsoft Sentinel or Splunk to trigger alerts and upstream actions on suspicious behaviour or unusual activity.

Data Sovereignty Goals in M365 are Within Reach with NC Protect

NC Protect safeguards your data in Cloud, hybrid and on-premises environments with a dynamic data-centric access and security approach to help with data sovereignty compliance and best practices.  It supports various enterprise document management and collaboration tools, including the Microsoft 365 suite, SharePoint Server, Nutanix, NetApp ONTAP and Windows File Shares. With NC Protect, consistently enforce data governance policies and secure sensitive data access and collaboration across cloud, on-premises and hybrid environments.