Securing the future of data through zero trust data sovereignty

Nations share a common goal in keeping defense and intelligence data out of the hands of adversaries, but each nation maintains its own framework for controlling access to its most sensitive technical data.

This poses a problem for allies, who must share controlled technical data to be effective teammates. The data must move between nations, companies and classification environments. In military environments, the consequences of not sharing effectively can be deadly. 

The question is no longer whether to share controlled data internationally, but how to share it without surrendering sovereign control. However, the officials and leaders responsible for securing the data may pay a high price for failure.

Defining data sovereignty

The root of the data sharing challenge is maintaining ownership and control over the data once it leaves its point of origin. Data sovereignty provides that the originator of the data retains ownership and control of it no matter where it is accessed, or by whom. 

Stating that as a principle is simple enough. The challenge is in actually enforcing data rights once the data leaves the agency’s direct control.  

Embedding zero trust at the data layer

Traditional security protects the perimeter. Zero trust assumes the perimeter has already been breached. As U.S. military branches and related organizations adopt zero trust architectures, many are looking beyond traditional perimeter and identity controls to the data itself. Data centric security approaches can help ensure that policies governing access, use and sharing remain associated with sensitive information as it moves across systems, partners and locations.

Integrating zero trust data architecture aligned to National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust Architecture principles can enable measures such as object-level encryption with externalized key management, barring any single entity from accessing protected data without authorization. 

Zero trust measures embedded within the data can enforce jurisdictional requirements through geofencing and policy based controls. This enables organizations to share highly regulated data and other sensitive information with authorized partners while maintaining control over where the data can be stored, processed and accessed.

Cloud as the infrastructure foundation

With data typically residing in cloud environments, the security measures that protect the cloud also factor into enforcing data sovereignty. In particular, the cloud provider should not be able to access customer data under any circumstances without explicit approval from the data owner. 

Other important organizational controls include: 

• Geographic restriction clearly enumerated in policies to ensure workloads and their protected data deploy only in prescribed regions
• Customer-managed encryption keys with FIPS 140-3 validation
• Network isolation and micro-segmentation, so that lateral movement is denied by default

CGI Federal’s integrated approach provides a triple-threat cyber defense

In partnership with XQ Message and powered by Amazon Web Services (AWS), CGI Federal provides an integrated solution that resolves all three barriers:

Technical: AWS Trusted Secure Enclave – Sensitive Edition (TSE-SE) provides an environment capable of supporting protected workloads when implemented with appropriate governance, access controls and data protection measures.

Legal & compliance: XQ Message binds policy, encryption and access rules directly to data with externalized key management and jurisdiction enforcement. Compliance can be continuously demonstrated through embedded policy enforcement, encryption, key management, and jurisdiction aware controls.

Operational: CGI configures AWS TSE-SE for each client's regulatory profile, integrates XQ into existing workflows and ensures the combined solution supports secure allied collaboration across the defense industrial base.

Protecting national security data is non-negotiable and allied collaboration is mission-critical, CGI ensures organizations no longer have to choose between the two with forward-looking protection against today’s threats and tomorrow’s quantum capabilities.

For more information about CGI's data sovereignty capabilities, contact us.