Tech
Auditing, classifying and building a data sovereignty strategy | Computer Weekly
Data sovereignty is a hot topic. For commercial and public sector organisations, compliance to ensure personal data is secure is a primary objective. And that means it cannot be subject to foreign laws or interference.
Data sovereignty is also a matter for international relations, where states strive to ensure citizen and organisation data is secure from foreign interference. And, for states, achieving data sovereignty is also a way of protecting and developing national economies.
In this article, we look at data sovereignty, and the key steps CIOs need to take to build their data sovereignty strategy. This centres on auditing, classification and building controls over data location and movement.
What is data sovereignty, and why is it an issue?
At the most general level, data sovereignty is the retention of data within the jurisdiction – usually state boundaries – whose laws govern its use.
Interest in data sovereignty has been building for some time. In one sense, it looks a lot like law catching up with the “wild west” early years of cloud use and popularity. Here, organisations rushed to this new, highly flexible location to process and store data, then later discovered the risks to which they – and their customer data – had become exposed.
More recently, the drive to digital sovereignty stepped up to the level of states. That trend got a big boost during US president Donald Trump’s first term. That saw the country’s introduction of the Clarifying Lawful Overseas Use of Data (Cloud) Act, for example, which potentially allows US law enforcement to access data stored by US companies anywhere. Alarm bells started ringing, especially in Europe.
Organisations achieve digital sovereignty in their operations by making data subject to the laws and control of the state they operate in, or from. But we are far from achieving that, when, for example, Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) have around 70% of the European cloud market, and many European state organisations are completely or overwhelmingly dependent on US hyperscalers for cloud services.
What are the concerns about data sovereignty, and what do CIOs plan to do?
Surveys regularly find IT decision-makers are concerned about data sovereignty. A Gartner survey conducted among 241 IT decision-makers globally found the majority (75%) of those outside the US plan to have a digital sovereignty strategy in place by 2030. Meanwhile, 53% said concerns over geopolitics would restrict future use of global cloud providers, and 61% said such worries would increase their use of regional or local cloud providers.
Complexity – and the potential for contradictory regulations and increased costs – is also a major concern, says Simon Robinson, principal analyst for storage and data infrastructure at Omdia.
“Our research found 74% of organisations say sovereign clouds have become more important over the last two years,” he says.
“However, it is a complex and fast-moving area. The regulatory and compliance environment is evolving rapidly. But the challenge for global organisations is that some regulations may actually conflict, potentially forcing them to contemplate whether they might break one law or regulation to satisfy another.”
Robinson adds: “At the very least it pushes up costs, may lead to inconsistent data policies around retention, and could slow down the adoption of advanced technologies, such as AI [artificial intelligence].”
So, while risks around stored data being in datacentres in a foreign country, on foreign infrastructure and subject to that country’s laws are a major worry, resolving that situation can bring its own issues too.
What is a data sovereignty audit, and why is it so important?
Core to an organisation’s responses to an unknown or uncontrolled data sovereignty situation is an audit of its data. This is the first step towards ensuring data is kept and processed within the appropriate state boundaries.
That will likely take the form of identification of the risks around different classes of data, according to Jon Collins, vice-president of engagement and field chief technology officer at GigaOm.
“Not all data is created equal, and not all parts of the architecture are created equal,” he says. “The first step is to classify what you’ve got. Identify whether it needs to fall within the scope of sovereignty, understand what kind of data it is, and consider how it might be impacted in terms of privacy, localisation and compliance.”
Key parts of a digital sovereignty strategy include mapping digital assets and data flows throughout their lifecycle and the laws to which they are subject at all stages. Then classify the data to assess risk levels for each class.
This can include geo-tagging, and should be part of an ongoing process, says Bettina Tratz-Ryan, vice-president and analyst at Gartner. “Automated discovery tools help identify and tag sensitive data, whether in physical storage or incidental locations like shared drives and folders,” she adds.
“Regular audits and compliance checks are non-negotiable and require strong governance policies and periodic manual reviews.”
How to minimise exposure to data storage risks
A data storage strategy that addresses data sovereignty builds on the classification of data in the data audit to limit what data can go where.
As part of the classification process, data will be subject to a policy that manifests in metadata tagging that indicates its sensitivity and tolerance for movement.
“Organisations should adopt a data governance as code approach, automating compliance through infrastructure as code techniques for consistent enforcement and rapid remediation,” says Tratz-Ryan.
That means sensitive data should be stored locally or in regional datacentres to meet residency requirements, with the cloud used for scalability under strict, region-specific compliance requirements.
“Continuous monitoring, encryption and geo-fencing are essential, and governance must be built in, not bolted on,” adds Tratz-Ryan.
Such approaches address the difficulties that potentially arise with data in transit. With the ability to monitor compliance and auditability built in via classification and tagging, critical workloads can be more easily segregated from less sensitive data at rest and in transit.
“Strict governance over location and movement is the cornerstone of risk mitigation,” says Tratz-Ryan.
Challenges in maintaining knowledge and control
There are many challenges to data sovereignty auditing. Data moves, and it moves across borders. We might believe we have nailed down data in our infrastructure, while data finds other backdoor routes across frontiers. Meanwhile, proprietary systems present huge challenges to audits and tagging, and staff create shadow IT, use emails, attach files, and so on.
In short, data movement in an organisation can be very complex indeed. It is potentially simple to audit and control the vast bulk of our data, but the problems come with incidental cases of data movement, says Tratz-Ryan.
“In globally connected organisations, sovereignty risks will occur even if data is stored in local servers. Remote access, backups, and software-as-a-service integrations can create cross-border exposure, triggering compliance challenges under laws like the US Cloud Act. Also, governance can be bypassed by incidental data movement via virtual private networks, personal devices, or email,” she says.
“And, for example, an automotive manufacturer may store design files on-premise in one location, but metadata and backups can flow through global product lifecycle management systems, creating sovereignty exposure.
“Incidental data movement, such as emails, shared drives and collaboration tools, often push data into unsanctioned cloud folders, outside sovereign governance. Shadow IT compounds the problem when employees use external apps without IT oversight, creating blind spots.”
GigaOm’s Collins believes that for most, the key elements needed to incorporate data sovereignty compliance are already present in their organisation.
“It’s practical to consider it within your broader governance, risk and compliance framework,” he says. “The advantage is, as a larger organisation, you already have practices, processes and people in place for audit, reporting and oversight. Sovereignty requirements can be incorporated into those mechanisms.”
Collins says we should not assume all data needs to meet sovereignty rules, and that in many cases, it’s not possible to do so.
“For example, it’s not realistic to make email a fully sovereign, locally contained application because it’s inherently distributed,” says Collins. “But you can prevent sovereign data from being transmitted by email. That’s where data loss prevention and data protection policies come in, to make sure data from certain repositories, or of certain classifications, is not emailed out.”
Similarly with cloud. Rather than try to make all cloud folders sovereign, we should instead decide what data can and cannot be stored there. And if data needs to be stored locally, then it goes to a local on-premise or domestic cloud service or availability zone.
“The core debate is deciding whether a particular dataset is sovereign,” says Collins. “If you operate in a given country and you hold customer data about people in that country, then that data stays in that country. That gives you a clear list of what cannot go into cloud folders, be sent by email, or managed by a system that can’t guarantee localisation. Once you frame it that way, the whole thing becomes much more straightforward.”
Tech
‘STAGED’: Conspiracy Theories Are Everywhere Following White House Correspondents’ Dinner Shooting
In the immediate aftermath of the attack on the White House Correspondents’ Dinner on Saturday night, influencers, pundits, and random posters lit up social media platforms like X, Bluesky, and Instagram with conspiracy theories about the attack and the alleged shooter.
Both left and right-wing accounts claimed, without evidence, that the attack was staged.
President Donald Trump, Vice President JD Vance, and dozens of other high-profile administration officials and journalists were attending the dinner at the Hilton hotel in Washington, DC, when a suspect, later identified by media reports as Cole Tomas Allen from California, allegedly ran past security towards the event. He was detained by law enforcement while the president and vice president were evacuated. Police said that they believe Cole acted alone, but did not expand on who his intended target was or what his motive may have been. “We believe the suspect was targeting administration officials,” acting attorney general Todd Blanche told NBC’s Meet the Press on Sunday morning.
On Bluesky, which has a predominantly left-leaning user base, many people simply wrote the word “STAGED” over and over again, echoing the response to the Trump assassination attempt in Butler, Pennsylvania in 2024.
On X, many claimed the shooting was staged as a way to bolster support for Trump’s plan to build a new ballroom in the White House. The president referenced the ballroom in a press conference after the incident and a Truth Social post on Sunday morning. Many prominent online Trump boosters echoed the need for the ballroom, including far-right podcaster Jack Posobiec, Libs of TikTok creator Chaya Raichik, and Tom Fitton, the right-wing activist who runs Judicial Watch.
Their quick response, conspiracy theorists claimed, was evidence of a coordinated campaign following the shooting. “Is this another staged event,” one X user asked in a post that has been viewed more than 5 million times.
Other social media users who claimed the incident was staged pointed to a Fox News clip that featured the station’s White House correspondent Aishah Hasnie speaking from the Hilton hotel. Hasnie told viewers that prior to the shooting, press secretary Karoline Leavitt’s husband allegedly told her “you need to be very safe,” before the call was cut off.
“Fox News just cut one of their reporters off as they seemed to indicate the shooting was a pre-planned false flag,” one X user wrote in a post that has been viewed more than 2 million times. Hasnie later clarified in an X post that her cell service had cut out in a location with notoriously bad service, adding: “He was telling me to be careful with my own safety because the world is crazy. He was expressing his concern for my safety.”
“I don’t want to be fomenting conspiracies,” wrote Angelo Carusone, the chair and president of Media Matters, on Bluesky about the Fox News interview. “But I mean…this was super weird. Super weird.”
Leavitt herself was also the focus of conspiracy theories after she said “shots will be fired” in an interview ahead of the dinner, referring to the jokes Trump was scheduled to deliver. Following the attack, X users claimed the comment was “strange,” “sus,” or a “curious choice of words,” while sharing memes that suggested the shooting was staged. At least one mainstream outlet appeared to amplify the conspiracy theory as well, describing Leavitt’s comment as “eerie” and “bizarre.”
Kindle Holders
Hate holding up your Kindle? Or struggle with chronic pain that makes holding it feel terrible? These holders will literally take the weight out of your hands.
A Freestanding Charger
Looking to keep your Kindle charged without adding another cord to the floor of your desk or bedside table? Same. Here’s a more stylish solution if you have one of the Signature editions.
Anker
Wireless Charging Dock for Kindle
This wireless charging dock is made by Anker for Kindles, specifically for Kindle Paperwhite and Colorsoft’s seven-inch Signature editions. Those versions have wireless charging capabilities, and this stand takes advantage of that with charging coils that line up with the back of the Kindle, where the wireless charging is. You’ll want to take off any MagSafe cases; leaving mine on made the little light on the charging dock flash until I took it off.
A Kindle Page Turner
The hottest new item to get as a Kindle lover is a page turner. They’re especially handy for holders like the ones above, where your hands aren’t already on the device, and can make for a great accessibility accessory for readers with different needs.
My biggest irritation with these devices so far is that you have to charge them both individually, and if one runs out of battery, the whole thing is useless. I also don’t love that the turner does tend to block at least one letter while I read, and you can’t place it on the lower or upper margins since it’ll activate the menus instead of turning the page. Still, it makes reading ultra comfortable, especially for my strained wrists.
Here’s my favorite one so far, that’s been solid at holding a charge, and next I’m testing this remote ($15) with a wearable ring clicker instead of a remote.
A 31-year-old engineer and computer scientist was identified by media reports and President Donald Trump as the suspected shooter at the White House Correspondents Dinner on Saturday night.
Cole Tomas Allen, of Torrance, California, was apprehended following the firing of shots at the Washington Hilton, where Trump was scheduled to deliver remarks to a ballroom full of journalists, cabinet officials, and Hilton staff. Allen’s name surfaced in media reports shortly before Trump posted two photos of a suspect following his apprehension. The person in the photos Trump posted matches photos of Allen.
In dramatic scenes, several shots were heard outside the ballroom, after which Trump and Vice President JD Vance were immediately rushed off the stage by the United States Secret Service. In the immediate aftermath of the shooting incident, it briefly appeared as if the event would proceed—Trump posted “LET THE SHOW GO ON” on Truth Social—but the event was eventually shut down.
According to the Metropolitan Police Department, the suspect “charged” a Secret Service checkpoint at the Hilton hotel, and was intercepted by agents. MPD interim chief Jeffery Carroll said the suspect was carrying a “shotgun, handgun, and multiple knives.”
At a White House press conference following the shooting, Trump said one United States Secret Service agent was shot but saved from serious injury by his bulletproof vest. Trump said the agent, who was not named, is “doing great” and in “great shape.” No other injuries were immediately reported.
The suspect was later transported to a local hospital “to be evaluated,” according to Carroll, who said he appears to be a “lone actor.”
Around the time Trump’s press conference began on Saturday night, he posted a picture on his Truth Social account appearing to show the suspected shooter on the ground, with his hands restrained behind his back, and a foil warming blanket covering the lower half of his body.
A WIRED review of public databases shows a seemingly minimal online presence associated with Allen’s name. According to his LinkedIn profile, he graduated from Caltech in 2017 with a bachelor’s in mechanical engineering and from California State University Dominguez Hills in 2025 with a master’s in computer science. An apparent photo of Allen that appears on Caltech’s website identifies him as a member of the school’s Mechanical Engineering 72 class, described by the school as a “two-term engineering design lab” for building robots and autonomous vehicles. His name is also listed in a 2025 Dominguez Hills graduation program. A search in a public facial recognition database returns only two images, both apparently of him as an undergraduate.
According to the alleged shooter’s LinkedIn profile, he has been employed part-time since March 2020 at C2 Education, a private company that helps students prepare for the SAT and ACT exams. In December 2024, C2 Education said in posts on LinkedIn and Facebook that he was the company’s “December Teacher of the Month.”
Since 2018, the suspected shooter has self-identified on his LinkedIn profile as a “self-employed” indie game developer. He appears to have released an “atomic fighting game” called Bohrdom on Steam in 2018. The game was advertised using accounts on YouTube and X that appeared to have little to no following. The caption for a trailer of the game describes it as a “non-violent, skill-based, asymmetrical fighting game loosely based on a chemistry model that is itself loosely based on reality.”
C2 Education and did not immediately respond to requests for comment. When reached for comment, the Metropolitan Police Department referred WIRED to a video of its public press conference.
Strait of Hormuz disruption ‘systemic shock’ threatening SE Asia: ERIA
Anta: The Chinese sports brand taking on Nike and Adidas
Prince Harry stirs new debate at Palace with bold move: ‘walking liability’
-
Sports1 week agoWWE WrestleMania 42 Night 2: Live match results and analysis
-
Sports1 week agoNCAA men’s gymnastics championship: All-time winners list
-
Fashion1 week agoUK’s Sosandar returns to profitability amid robust FY26 performance
-
Politics6 days agoUK’s Starmer seeks to deflect blame over Mandelson appointment
-
Entertainment1 week agoRuby Rose old essay resurfaces detailing night of alleged Katy Perry assault
-
Entertainment7 days agoLee Anderson, Zarah Sultana kicked out of UK Parliament for calling PM ‘liar’
-
Entertainment1 week agoNathalie Baye, low-key legend of French cinema, dies aged 77
-
Business1 week agoNo fuel shortage: Govt assures 100% domestic LPG, PNG, CNG supply amid Hormuz energy crunch – The Times of India