The debate over data sovereignty heats up
The debate over data sovereignty spurred by the U.S. CLOUD Act is intensifying. On June 10, 2025, France’s Senate held a hearing on the role of procurement in data sovereignty, where Anton Carniaux, Director of Public and Legal Affairs at Microsoft France, testified. He stated he could not guarantee that data from French citizens would not be shared with U.S. authorities without explicit authorization from French authorities.
Carniaux noted that the company declined requests from U.S. authorities “when they are not well-founded,” but under the U.S. Cloud Act, American firms are obliged to provide data, irrespective of its storage location. He also mentioned that such a situation had yet to occur. Nevertheless, this acknowledgment highlights significant worries regarding European data sovereignty. The implications of the U.S. CLOUD Act extend to other countries outside the EU.
Many view Microsoft’s assurances about contesting illegal requests as insufficient, raising concerns about the autonomy and digital sovereignty of nations, as well as the security of data in the Cloud.
Why is the U.S. CLOUD Act a concern?
United States tech companies, such as Microsoft, Amazon, and Google, influence many aspects of daily life through their products and services. Under the U.S. CLOUD Act, all electronic communication service or remote computing service providers operating in the U.S. can be compelled to share data with federal law enforcement, regardless of where the data is stored—even if it conflicts with international and domestic laws.
This means tech companies like Microsoft may be compelled to disregard data residency requirements that countries have implemented to protect their sovereignty. There are rising concerns that such practices undermine these countries’ data protection efforts.
Does the U.S. CLOUD Act affect the Government and Military?
In short, yes. The nature of the request—whether it involves individual, organization, or government data—does not make a difference. If cloud services subject to the Cloud Act are being utilized, the provisions regarding data access remain applicable regardless of where it is stored.
Many government and military organizations extensively utilize Microsoft 365. They operate specialized versions, designed to provide a unified cloud infrastructure for collaboration among Defense, stakeholders, and various government entities. In principle, any information stored on or utilized through Microsoft’s or other cloud-based products associated with a U.S.-based organization could be subject to a subpoena from the United States authorities.
How can you protect your data?
We’ve previously posted on how the U.S. CLOUD Act presents challenges for global data governance and mitigation strategies. While this latest court case has caused alarm for Microsoft clients, the truth is that you can protect your data from exploitation by the US CLOUD Act by utilizing data classification, encryption key management, and access controls.
Here are a few essential steps to protect data from prying eyes.
- Classify your data by its sensitivity and jurisdiction.
- Use Customer-Provided Keys (CPK) managed off-cloud.
- Encrypt your data in transit, at rest, and in processing.
- Implement role- and attribute-based access controls to restrict access to data and services.
1. Classify your data by its sensitivity and jurisdiction
Starting with classification as the foundation allows you to use labels to automatically implement access controls, such as encryption and restrict access permissions, for high-risk data. Whether your data is proprietary, ITAR restricted, or competition sensitive – data classification enables the systems to enforce rules for encryption and access.
2. Use Customer-Provided Keys (CPK) managed off-cloud
It is also essential to own and manage your encryption keys, which includes generating and storing them outside of your cloud subscriptions. U.S. regulations permit authorities, under specific circumstances, to obtain data transmitted through services created or managed by U.S. companies, regardless of where the data is physically stored. If the keys are generated or held by a U.S. provider, encryption alone will not safeguard your information.
Using Customer-Provided Keys that are managed outside of the cloud helps prevent unauthorized access by cloud service providers (CSPs). If a CSP is required to provide data in response to a legitimate request from a U.S. or foreign government agency, the encrypted information remains secure and inaccessible to the CSP without the enterprise’s cooperation.
Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) products allow customers to have full control over the keys used to encrypt their data outside of the cloud. These keys can then be used to securely encrypt data within Microsoft environments.
3. Encrypt data in transit, at rest, and in processing
Encrypting your data in transit and storage has historically been standard operating procedure for most companies, extending even to workstations with VPNs and encrypted hard drives. The latest advancements in computer cores and processors now allow for encryption to be applied to data while it is being processed. This provides additional protection from outside observers who are granted access to a compute environment or subscription.
4. Implement Role and Attribute-Based Access Controls
Role and Attribute-Based Access Controls RBAC/ABAC are the next line of defense. RBAC uses roles to control access and policies are static. Whereas ABAC offers more fine-grained control, allowing for the use of any attribute (including role) and the dynamic adjustment of access decisions based on context. Combining effective encryption and data classification with a robust identity strategy ensures data is only ever accessible to those who have verified credentials and the appropriate system titles and markers in their profile. For example, a system administrator in Germany can troubleshoot software in an environment in the UK, but all the business data is masked due to citizenship and geolocation.
archTIS can help you maintain sovereignty
archTIS products can help you maintain your data sovereignty with advanced policy-based access controls and encryption key management. archTIS NC Encrypt enables customers to control and manage encryption keys used in Microsoft 365. archTIS ensures that customers retain complete control over their data and encryption keys in M365, offering BYOK and HYOK capabilities.
- Maintain full control of your encryption keys in the Cloud.
- Use NC Encrypt-generated or your own encryption keys.
- Keep keys separated from the Cloud with remote key management.
- Add dynamic, policy-driven at-rest and in-motion encryption capabilities.
- Secure files with AES-256-bit encryption (currently undergoing FIPS 140-3 validation).
An optional integration with Thales Cipher Trust Manager enables customers to leverage existing keys and HSMs with archTIS dynamic encryption policies.
Additionally, archTIS access control and data security products operate as an Azure service within a customer’s application environment. Therefore, archTIS does not have access to any customer data, ensuring the complete privacy and security of your information.
Key Takeaways
Data sovereignty isn’t about jurisdiction. It’s about configuration.
Following the CIA triad will ensure that your organization’s security profile is stronger and better equipped to handle threat incidents and manage data sovereignty.
- Confidentiality – Keeping your data private from those who do not have a need to know or need to access ensures that your data remains Confidential. Appropriate access controls, such as those offered by ABAC, enable the system to enforce confidentiality across your entire enterprise.
- Integrity – Ensuring that your data is true and accurate requires businesses to trust their system. Industry standard AES-256 encryption on all your connections and workloads puts your data in a secure vault that can only be opened by those whose Roles or Attributes meet access requirements. Data can be securely stored at any location on the planet and still be secure from unauthorized access.
- Availability – Timely and effective access to your data is essential to decision-making in the modern era. Data Centers and Hyperscalers deliver this by design with redundancy zones, availability sets, etc. Providing your own compute and store environment for your most sensitive data means you need to ensure availability and uptime regardless of where your user is accessing from.
If you’re worried about a CSP or third party seizing your data, the better question might be:
Why is it sitting unencrypted in the first place and how do I secure it today?
Contact us to discuss how we can help you manage data sovereignty in Microsoft 365 and GCC High.
