Tech
Auditing, classifying and building a data sovereignty strategy | Computer Weekly
Data sovereignty is a hot topic. For commercial and public sector organisations, compliance to ensure personal data is secure is a primary objective. And that means it cannot be subject to foreign laws or interference.
Data sovereignty is also a matter for international relations, where states strive to ensure citizen and organisation data is secure from foreign interference. And, for states, achieving data sovereignty is also a way of protecting and developing national economies.
In this article, we look at data sovereignty, and the key steps CIOs need to take to build their data sovereignty strategy. This centres on auditing, classification and building controls over data location and movement.
What is data sovereignty, and why is it an issue?
At the most general level, data sovereignty is the retention of data within the jurisdiction – usually state boundaries – whose laws govern its use.
Interest in data sovereignty has been building for some time. In one sense, it looks a lot like law catching up with the “wild west” early years of cloud use and popularity. Here, organisations rushed to this new, highly flexible location to process and store data, then later discovered the risks to which they – and their customer data – had become exposed.
More recently, the drive to digital sovereignty stepped up to the level of states. That trend got a big boost during US president Donald Trump’s first term. That saw the country’s introduction of the Clarifying Lawful Overseas Use of Data (Cloud) Act, for example, which potentially allows US law enforcement to access data stored by US companies anywhere. Alarm bells started ringing, especially in Europe.
Organisations achieve digital sovereignty in their operations by making data subject to the laws and control of the state they operate in, or from. But we are far from achieving that, when, for example, Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) have around 70% of the European cloud market, and many European state organisations are completely or overwhelmingly dependent on US hyperscalers for cloud services.
What are the concerns about data sovereignty, and what do CIOs plan to do?
Surveys regularly find IT decision-makers are concerned about data sovereignty. A Gartner survey conducted among 241 IT decision-makers globally found the majority (75%) of those outside the US plan to have a digital sovereignty strategy in place by 2030. Meanwhile, 53% said concerns over geopolitics would restrict future use of global cloud providers, and 61% said such worries would increase their use of regional or local cloud providers.
Complexity – and the potential for contradictory regulations and increased costs – is also a major concern, says Simon Robinson, principal analyst for storage and data infrastructure at Omdia.
“Our research found 74% of organisations say sovereign clouds have become more important over the last two years,” he says.
“However, it is a complex and fast-moving area. The regulatory and compliance environment is evolving rapidly. But the challenge for global organisations is that some regulations may actually conflict, potentially forcing them to contemplate whether they might break one law or regulation to satisfy another.”
Robinson adds: “At the very least it pushes up costs, may lead to inconsistent data policies around retention, and could slow down the adoption of advanced technologies, such as AI [artificial intelligence].”
So, while risks around stored data being in datacentres in a foreign country, on foreign infrastructure and subject to that country’s laws are a major worry, resolving that situation can bring its own issues too.
What is a data sovereignty audit, and why is it so important?
Core to an organisation’s responses to an unknown or uncontrolled data sovereignty situation is an audit of its data. This is the first step towards ensuring data is kept and processed within the appropriate state boundaries.
That will likely take the form of identification of the risks around different classes of data, according to Jon Collins, vice-president of engagement and field chief technology officer at GigaOm.
“Not all data is created equal, and not all parts of the architecture are created equal,” he says. “The first step is to classify what you’ve got. Identify whether it needs to fall within the scope of sovereignty, understand what kind of data it is, and consider how it might be impacted in terms of privacy, localisation and compliance.”
Key parts of a digital sovereignty strategy include mapping digital assets and data flows throughout their lifecycle and the laws to which they are subject at all stages. Then classify the data to assess risk levels for each class.
This can include geo-tagging, and should be part of an ongoing process, says Bettina Tratz-Ryan, vice-president and analyst at Gartner. “Automated discovery tools help identify and tag sensitive data, whether in physical storage or incidental locations like shared drives and folders,” she adds.
“Regular audits and compliance checks are non-negotiable and require strong governance policies and periodic manual reviews.”
How to minimise exposure to data storage risks
A data storage strategy that addresses data sovereignty builds on the classification of data in the data audit to limit what data can go where.
As part of the classification process, data will be subject to a policy that manifests in metadata tagging that indicates its sensitivity and tolerance for movement.
“Organisations should adopt a data governance as code approach, automating compliance through infrastructure as code techniques for consistent enforcement and rapid remediation,” says Tratz-Ryan.
That means sensitive data should be stored locally or in regional datacentres to meet residency requirements, with the cloud used for scalability under strict, region-specific compliance requirements.
“Continuous monitoring, encryption and geo-fencing are essential, and governance must be built in, not bolted on,” adds Tratz-Ryan.
Such approaches address the difficulties that potentially arise with data in transit. With the ability to monitor compliance and auditability built in via classification and tagging, critical workloads can be more easily segregated from less sensitive data at rest and in transit.
“Strict governance over location and movement is the cornerstone of risk mitigation,” says Tratz-Ryan.
Challenges in maintaining knowledge and control
There are many challenges to data sovereignty auditing. Data moves, and it moves across borders. We might believe we have nailed down data in our infrastructure, while data finds other backdoor routes across frontiers. Meanwhile, proprietary systems present huge challenges to audits and tagging, and staff create shadow IT, use emails, attach files, and so on.
In short, data movement in an organisation can be very complex indeed. It is potentially simple to audit and control the vast bulk of our data, but the problems come with incidental cases of data movement, says Tratz-Ryan.
“In globally connected organisations, sovereignty risks will occur even if data is stored in local servers. Remote access, backups, and software-as-a-service integrations can create cross-border exposure, triggering compliance challenges under laws like the US Cloud Act. Also, governance can be bypassed by incidental data movement via virtual private networks, personal devices, or email,” she says.
“And, for example, an automotive manufacturer may store design files on-premise in one location, but metadata and backups can flow through global product lifecycle management systems, creating sovereignty exposure.
“Incidental data movement, such as emails, shared drives and collaboration tools, often push data into unsanctioned cloud folders, outside sovereign governance. Shadow IT compounds the problem when employees use external apps without IT oversight, creating blind spots.”
GigaOm’s Collins believes that for most, the key elements needed to incorporate data sovereignty compliance are already present in their organisation.
“It’s practical to consider it within your broader governance, risk and compliance framework,” he says. “The advantage is, as a larger organisation, you already have practices, processes and people in place for audit, reporting and oversight. Sovereignty requirements can be incorporated into those mechanisms.”
Collins says we should not assume all data needs to meet sovereignty rules, and that in many cases, it’s not possible to do so.
“For example, it’s not realistic to make email a fully sovereign, locally contained application because it’s inherently distributed,” says Collins. “But you can prevent sovereign data from being transmitted by email. That’s where data loss prevention and data protection policies come in, to make sure data from certain repositories, or of certain classifications, is not emailed out.”
Similarly with cloud. Rather than try to make all cloud folders sovereign, we should instead decide what data can and cannot be stored there. And if data needs to be stored locally, then it goes to a local on-premise or domestic cloud service or availability zone.
“The core debate is deciding whether a particular dataset is sovereign,” says Collins. “If you operate in a given country and you hold customer data about people in that country, then that data stays in that country. That gives you a clear list of what cannot go into cloud folders, be sent by email, or managed by a system that can’t guarantee localisation. Once you frame it that way, the whole thing becomes much more straightforward.”
Shipping through the Strait of Hormuz—the narrow but vital oil trade route in the Middle East—has almost ground to a halt since the start of the United States and Israel’s war against Iran. Tankers in the region have faced military strikes and a spike in GPS jamming attacks, a new analysis says.
Since the first US-Israeli strikes against Iran on February 28, more than 1,100 ships operating across the Gulf region have had their GPS or automatic identification system (AIS) communications technology disrupted, says Ami Daniel, the CEO of maritime intelligence firm Windward. Ships have been made to appear as if they were inland on maps, including at a nuclear power plant, the firm says.
The analysis comes as maritime officials have warned of a “critical” risk to ships operating in the region and as the initial conflict has quickly expanded to involve countries across the Middle East. At least three tankers in the region have been damaged in the conflict.
“We’re seeing a lot of GPS jamming,” Daniel says of shipping in the Strait of Hormuz and surrounding areas. The levels of electronic interference are “way above the baseline” of usual interference, he says. “It’s becoming very dangerous to go in and out.”
Over the last few years, attacks against GPS and navigation systems have been on the rise—largely driven by the wars in Ukraine and Gaza. They can impact people’s phones or devices, but also disrupt the safety and navigation systems in planes and ships. The electronic interference largely comes in two forms: jamming and spoofing. During jamming attacks, satellite signals are overwhelmed so that positioning data isn’t available. Whereas spoofing can create false signals that make an object appear incorrectly on a map—for instance, making ships appear as if they are inland at airports.
Inaccurate location data can lead to ships running off course, potentially increasing the chances of them crashing into other tankers, running aground, or causing damaging oil spills. In warzones, electronic interference is often used to try and disrupt the navigation systems of drones or missiles, which can rely on location data to find and hit their targets.
Analysis of shipping data by Windward found that there has been an “escalating” level of electronic interference across Iranian, United Arab Emirates, Qatari, and Omani waters since the initial strikes on February 28. Daniel says that the majority of the activity the company has identified so far has been jamming rather than spoofing. The company’s analysis says it has identified around 21 “new clusters” where ships have had their AIS data jammed in recent days.
“Ships were falsely positioned at airports, a nuclear power plant, and on Iranian land, creating navigation and compliance risks,” a report from the firm says. “AIS signals have also been diverted to the Barakah Nuclear Power Plant and nearby waters, while hundreds of other vessels are creating circle-like patterns off UAE, Qatari, and Omani waters.”
GPS and AIS interference within the Strait of Hormuz and the surrounding area is not new. In June 2025, as Israel and Iran exchanged missile fire, significant jamming in the region was reported.
While almost all commercial air travel has been grounded around the Middle East, there have been signs of electronic interference on aircraft flying ahead of and around the strikes. “There are at least six new spoofing signatures in the Middle East,” says Jeremy Bennington, vice president of positioning, navigation, and timing strategy and innovation at technology firm Spirent Communications. “Hundreds of flights have been impacted. However, that decreased significantly over the weekend as flights have been canceled.”
In the wake of a major series of new US and Israel-led attacks on Iran and subsequent retaliatory strikes on Gulf states including Bahrain, Kuwait and the UAE, the UK’s National Cyber Security Centre (NCSC) has reassured British organisations that there is likely no significant change in the direct cyber threat posed by Iranian actors.
But that despite the attacks, Iranian state threat actors likely retain some ability to conduct cyber attacks, and more widely, there is a risk of collateral impacts – such as distributed denial of service (DDoS) attacks – originating from hacktivist groups sympathetic to Iran.
And, as the spreading conflict threatens to draw in the UK, the GCHQ-backed cyber agency said it this assessment was subject to change at short notice, and there was almost certainly a heightened risk of indirect cyber threat for any UK organisations with a presence in the Middle East.
“In light of rapidly evolving events in the Middle East, it is critical that all UK organisations remain alert to the potential risk of cyber compromise, particularly those with assets or supply chains that are in areas of regional tensions,” said NCSC director for national resilience, Jonathon Ellison.
“Today, the National Cyber Security Centre has published an alert outlining the current cyber threat to the UK and the practical steps organisations should take in response.
“This includes engaging with our guidance to reduce the likelihood of falling victim to an attack where the cyber risk is heightened, and how critical national infrastructure organisations can prepare for and respond to severe cyber threats.
“Organisations are strongly encouraged to act now, following the recommended actions to prioritise and strengthen their cyber security posture,” said Ellison.
Global conflict
Although no European states have taken part in the initial strikes, Dennis Calderone, principal and chief technology officer (CTO) at Suzu Labs, said that European organisations still needed to pay attention.
“Iran’s cyber operations don’t stop at US borders, and the proxy groups operating on Iran’s behalf are even less predictable in their targeting,” said Calderone. “When the motivation is retaliation and the conventional military is gone, cyber operators cast a wide net.
“Since it appears that conventional military options are looking increasingly to be off the table, cyber is what Iran has left,” he added.
“And even with their own internet down, pre-positioned implants and operators based outside Iran can still execute. If you’re in energy, water, financial services, or defense, assume you’re a target. Start hunting for anomalous access in your environment now. Don’t wait for something to break.”
James Turgal, vice president of global cyber risk and board relations at Optiv, said that over the next 30 days or so, there will likely be a surge of cyber activity linked to Iran, including website defacements, DDoS attacks, doxxing and leaks, and disruptive intrusions designed to create symbolic impact and public fear. This will likely include influence operations.
Threat actors will likely opportunistically exploit vulnerabilities in unpatched, internet-facing systems, and take advantage of other cyber weaknesses, such as exposed VPNs, and badly-secured operational technology (OT) or industrial control systems (ICS).
Within 72 hours, at-risk organisations should move to lock down internet-facing exposures, verify they are patched and up-to-date, have removed or limited unnecessary remote admin surfaces, rotated any exposed credentials, and validated multifactor authentication on any remote devices, said Turgal. CNI operators should also review their OT and ICS segmentation and monitoring.
More widely, security leaders should take steps to protect user identities against potential intrusion, and ensure their infrastructure is hardened against DDoS attacks.
Blended threat
Halcyon’s Cynthia Kaiser – who was previously deputy assistant director of the FBI’s cyber division, said she was already seeing increased activity in the Middle East, and calls to action from hacktivists, DDoS botnet operators, and ransomware gangs.
“Iran has a long track record of using cyber operations to retaliate against perceived political slights…. Tehran’s cyber playbook has been aggressive and evolving,” she said.
“Increasingly, ransomware is incorporated into these escalating operations. Last year, an Iranian national pleaded guilty to ransomware attacks that crippled Baltimore and other US municipalities, causing tens of millions in damages. Since at least 2017, Iranian operators have targeted US critical infrastructure … with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage.”
In practice, Kaiser explained, Iranian cyber ops blend state sponsorship, personal profiteering, and outright criminal behaviour. For example, she said, financially-motivated hackers may attempt to monetise access gained through government-funded campaigns.
Like Moscow, she added, Tehran turns a blind – or at least indifferent – eye to criminal cyber ops against shared enemies such as the US, Israel and their regional allies.
“Having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact,” said Kaiser.
Oil prices surged on Monday following the United States and Israel’s attacks on Iran this weekend, as some analysts predict that it could soon reach over $100 a barrel. Amid escalating attacks on oil and gas infrastructure in the region and stopped traffic in a crucial shipping route, experts tell WIRED that how the White House directs the conflict over the coming week—as well as Iran’s and other oil producers’ responses—will be key in determining just how high prices eventually climb.
The price of Brent crude jumped to almost $80 a barrel—a nearly 13 percent increase over Friday’s prices—when markets opened Sunday evening. The market has been pricing in the risk of the US’s aggressive stance toward Iran for months, says Tyson Slocum, the director of the energy program at the progressive think tank Public Citizen, insulating prices from an even more severe jump. But the disorganized US follow-through to the initial attack—which killed Ayatollah Ali Khamenei, Iran’s supreme leader—is introducing much more uncertainty.
“For all of Trump saying, ‘Hey, you know, we took out Khamenei, we knew exactly where he was,’—apparently we didn’t do the same for Iran’s attack capabilities,” Slocum says. “It seems like our plan was to take out Khamenei and then hope for the best.”
Iran controls the Strait of Hormuz, one of the most important shipping routes in the world. One out of every five barrels of oil travels through the strait. Major members of the Organization of the Petroleum Exporting Countries (OPEC), the world’s dominant oil and gas cartel, rely almost entirely on the strait to get their product out of the region.
“As long as I have been in the oil market, Iran and the closure of the Strait of Hormuz has been kind of the ultimate risk scenario for prices,” says Canadian oil market researcher Rory Johnston. Usually, he says, OPEC would respond to an international crisis that involves oil by increasing production. “But if OPEC’s emergency production is on the other side of the problem area, it doesn’t do as much good.” Johnston compares the region to a garden hose, where a kink in one section can decrease output.
Throughout the weekend, while Iranian officials sent mixed messages on whether the strait is formally closed, traffic through the strait dropped to near zero. Insurance companies have jacked up policies on ships traveling through the strait, while some ships have been hit by drone strikes. What seems to be happening, Johnston says, is more of a “voluntary closure” than an official one.
There are worse scenarios for oil prices that could unfold in the coming days than just the closure of the strait. In September of 2019, drones hit major oil production facilities east of the Saudi Arabian capital of Riyadh. While the Houthi rebel movement in Yemen publicly claimed responsibility for the attack, US officials blamed Iran. The attack temporarily shot oil prices up 15 percent.
On Monday, Saudi officials said that they had closed a major domestic refinery following drone strikes, while a few other oil and gas fields across the region were also shut down. Qatar LNG, the country’s state-run liquefied natural gas producer, said Monday it was shutting down production due to drone strikes, sending gas prices in Europe spiking. Johnston says that continued, serious strikes like these could have a massive impact on prices.
“Going back to the garden hose thing … [that would be] more like taking a gun and blasting off the faucet,” Johnston says.
Clayton Seigle, a senior fellow at the Center for Strategic and International Studies, a think tank based in Washington, DC, agrees. “The more desperate Iran becomes, the greater likelihood for it to use energy as leverage to advance its interests,” he says. “If tankers abandon the Gulf trade in large numbers, and certainly if major oil infrastructure is damaged, we’re likely to see triple-digit crude prices again.”
Jennifer Garner reflects on filming movie right after child birth
[CinePlex360] Please moderate: “Chinese company
Colorado opts to practice, mourn death of Dominiq Ponder
-
Business6 days agoHouseholds set for lower energy bills amid price cap shake-up
-
Politics5 days agoWhat are Iran’s ballistic missile capabilities?
-
Entertainment1 week agoTalking minerals and megawatts
-
Sports1 week agoEileen Gu comments on Alysa Liu’s historic gold medal
-
Business6 days agoLucid widely misses earnings expectations, forecasts continued EV growth in 2026
-
Sports1 week agoSouth Africa thrash India by 76 runs in T20 World Cup Super 8 – SUCH TV
-
Business1 week agoGovt to return unclaimed EPFO deposits, expand scholarships for unorganised workers’ children – The Times of India
-
Business1 week agoHaryana Govt bars IDFC First Bank, AU Small Finance Bank over alleged Rs 590 crore fraud