Tina Meadows is a vice president at CGI.
As organizations race to modernize in the cloud, a silent conflict is brewing: Who really controls your data? The promise of global connectivity has exposed a fundamental gap between where data lives and who has the legal right to access it.
Data sovereignty, an aspect of governance and regulatory oversight, attempts to close the gap through legal and regulatory schemes. It essentially means that the jurisdiction where the data originates retains legal control over it.
For example, data generated in a European Union (EU) country, subject to the EU’s General Data Protection Regulation (GDPR), remains subject to that law even when it resides in a U.S.-based hyperscaler’s cloud environment.
In 2020, the Court of Justice of the European Union ruled that data could not be exported from the EU or the European Economic Area (EEA) unless the receiving nation’s laws provided equivalent safeguards against unauthorized access, including by that nation’s intelligence agencies. Commonly known as the Schrems II ruling, this laid the groundwork for the establishment of data sovereignty within the EU/EEA.
The structural gap in traditional cloud security
For data sovereignty to matter, nations must have the technological means to enforce it. The hyperscalers themselves typically provide strong perimeter controls, data encryption at rest and multiple options for storage locations. However, these measures are managed by the providers and not enforced by jurisdiction.
The cloud providers rarely enforce persistent, object-level sovereignty controls, geofenced key governance or jurisdiction-aware decryption logic. CGI and XQ have introduced a solution that draws on zero trust principles to provide data owners with the tools they need.
Maintaining data sovereignty: The role of zero trust
The technologies needed to enforce data sovereignty can be seen as an extension of familiar zero trust concepts. Foundational capabilities and features of CGI and XQ’s data sovereignty solution include:
Object-level end-to-end encryption: Each object of data is individually encrypted, rather than a data set as a whole, providing precise, granular control. The data is encrypted in every state: at rest, in use or in transit.
Localized key management: The prevailing jurisdiction maintains the encryption keys, ensuring enforcement of local laws and policies. Importantly, the hyperscaler does not have any control over the keys, ensuring that the cloud provider cannot decrypt the data in violation of the law.
Dynamic geofencing: This allows data owners to restrict access to a specified geography, further ensuring that only authorized users within the jurisdiction have access.
Zero trust architecture: Zero trust access control requires any entity trying to access data—whether human or another system—be authenticated and verified before access is granted. This adds a layer of protection against the insider threat as well as external attempts.
With enforceable access controls based on identity, location and the jurisdiction’s policy, the solution ensures that no one can reach the data who is not authorized to do so.
The practical application means that one hyperscaler environment can host data from multiple sources, with each one subject to its own specific controls. An object that originated in France can be decrypted only by an authorized user in France, say, while data object from Germany, housed in the same S3 instance, have their own access rules that the system enforces. Because the cloud provider does not control the keys, it cannot decrypt the data in response to a request from another country.
Conclusion
It isn’t enough to rely on data residency to enforce data sovereignty. Data sovereignty requires object level encryption, sovereign key control, jurisdiction-aware decryption logic and persistent zero trust enforcement at the data layer.
Data sovereignty is a structural shift from perimeter-based trust to sovereign data enforcement. While international agreements, court rulings and diplomacy sort out the specifics among sovereign jurisdictions, implementing the tools needed to enforce those rules is imperative.