Financial services is among the most highly regulated of any industry – and justifiably so. As critical infrastructure, the sector provides services which, if interrupted or destabilized, could have a catastrophic impact on economic and national security. Increasingly, these regulations mandate not only cyber-resilience (eg the EU’s DORA) but also digital sovereignty – which includes the idea that wherever data is collected or stored, it should be subject to local laws.
This in turn is driving renewed interest in data protection technologies. As a new Gartner paper reveals, some are more mature than others.
Why digital sovereignty?
Put simply, digital sovereignty is the right for countries and regions to control their own data. The notion has become more popular among lawmakers as the digital economy has grown. At the same time, concerns have also grown, particularly in the EU, that citizens data may be processed and stored in a country where it could be subject to scrutiny by law enforcement or intelligence services, undermining human rights. That’s the basis of a long running legal tussle between authorities in Europe and the US.
According to Gartner, the meaning and scope of digital sovereignty make vary from place to place.
“However, organizations should assume that it encompasses data residency and data protection at rest, in transit and in use, along with the location of the infrastructure used to process data and transactions.”
Comforte offers several capabilities listed in the hype cycle report, that can help to support digital (and more specifically) data sovereignty:
Data Security Platforms (DSPs) which include format-preserving encryption (FPE) and tokenization. These are described as “adolescent” in maturity at present, but with a high benefit rating and market penetration of 5-20%.
Format-Preserving Encryption which also has a current market penetration of 5-20%, but is further along the hype cycle than DSPs. It’s increasingly sought out by enterprises as an anonymization technique that protects data at rest and in use, while maintaining the original data length and format.
Enterprise key management (EKM), which is judged to be mature and mainstream, with a market penetration of over 50%. It sits right at the end of the hype cycle and is a critical component for enforcing consistent encryption and tokenization policies across the enterprise.
Data-centric security
The bottom line is that financial services firms’ hybrid and multi-cloud deployments are complex and transnational. They also store some of the most highly regulated and sensitive personal and financial information around. To meet key data sovereignty requirements, the sector should be looking at the above technologies in the context of a data-centric security approach. This posits that data is discovered, classified and protected according to policy as soon as it is created – leaving no opportunity for threat actors to access it in plain text.
The benefits of such an approach in data sovereignty terms are:
- It ensures that data is “pre-protected” before being shared externally and across borders
- It means that the financial services organization retains control and governance of the data, rather than their third-party provider (eg a foreign cloud service provider)
- Tokenization can help financial institutions meet data sovereignty but also other regulatory requirements like DORA and GDPR (in the EU) and HIPAA and California’s CCPA (in the US)
- That by using tokenization, financial services companies can maintain compliance with data sovereignty and other regulatory requirements whilst still being able to use their data for competitive advantage – in AI and analytics tools
As the digital economy grows and cloud environments become more complex, financial institutions are looking for ways to manage cyber risk without blunting their competitive edge. With data-centric security they can meet local requirements with confidence, using data protection as a springboard for sustainable growth.