How data embassies can strengthen resiliency with sovereignty
Director, Office of the CISO
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.Free trial
Embassies have been havens for the people of countries they represent for hundreds of years, helping reduce some risks that their citizens can face when traveling and living abroad. The concept of reducing risk with an embassy has been extended to data in the digital world, made possible by the flexible, distributed nature of the cloud.
Small countries around the world are turning to the concept of “data embassies” because they are in need of sovereign and resilient infrastructure. Nevertheless, they realize that keeping data localized within a single facility or a set geographical boundary could pose a security risk in the event of a crisis, such as a natural disaster or an armed conflict. Data embassies offer one solution to this problem, and sovereign cloud solutions, such as those offered by Google Cloud, offer another.
Estonia, one of the world's most mature countries in digital administration, authorized a data embassy in 2015. The Estonian government evaluated the risks it faced as a small country highly reliant on digital services, and determined that its threat model should include the shutdown of its data centers because of extensive denial-of-service attacks or a military invasion that crossed its borders. To be able to recover from these extreme disaster scenarios, Estonia decided to host a backup of its most critical data and services in data centers abroad.
Enter: Luxembourg. The data embassy agreement that Estonia signed with its European neighbor offers the data hosted in a Luxembourg data center the same inviolability and immunity status as the one protecting embassy buildings and diplomatic personnel.
An alternative solution could have been to host Estonian critical data and workloads in an Estonian embassy abroad. However, embassy buildings may lack necessary facilities including physical space, power supply, cooling, and network peering to host adequate and efficient data centers. Estonian chose to rent state-of-the-art data centers managed by a Luxembourg service provider and protected by diplomatic status. The data and services are managed using cloud technologies to ensure effective synchronization and service recovery.
Even though Monaco’s threat model is not Estonia’s, the small coastal nation also created a digital embassy in Luxembourg in 2021. The driving factor in Monaco’s risk-model that led it to create its digital embassy was a natural disaster. A best-practice response to this threat is the replication of data and workloads in a distant data center located at least 50 kilometers from the primary facilities so as not to be subject to the same risk. However, because Monaco is barely larger than two square kilometers, Monaco’s data would have to be stored outside of its borders. The data embassy legal framework enabled increased resiliency for the country’s data.
The embassy framework has been slowly growing in appeal to entrepreneurial-minded countries. In 2018, the Kingdom of Bahrain issued a legislative decree which created a legal framework for data stored in Bahraini data centers that subjects it to the exclusive jurisdiction of customer’s domestic law — not Bahrain’s.
To improve their resiliency, governments follow the same approach as organizations building a business continuity plan: For technical and organizational concerns, they identify their critical services, define a threat model, conduct a risk analysis, and enforce security measures and other controls to manage these risks.
The infrastructure of a data embassy
There are several components that comprise a data embassy. A data embassy must have a secure, resilient data infrastructure that can protect a nation's data from cyber and physical threats. They should have a robust mechanism to ensure efficient data back-up and fail-over, as well.
Data embassies must also have an agreement with a trusted partner that covers technical and contractual measures to ensure the confidentiality, integrity, and availability of the data stored in that facility. Importantly, the agreement must also delegate a certain level of control over the data.
Rather than storing your data in one facility, where it can still be vulnerable, the nature of cloud technology can encourage governments to take advantage of a global infrastructure that provides maximum reliability and resilience.
Cloud technologies now allow organizations to put in place such data backups and replicated services, even over vast geographic distances. The diplomatic agreement between the home country and the host country establishes three pillars of sovereignty on the recovery site:
Data Sovereignty: The home country retains access and control over its data, which is protected and not subject to the host country’s jurisdiction. This can be accomplished through the nation’s control of the encryption keys used to unlock the data.
Operational Sovereignty: The home country has continuous visibility and control over the provider operations and can maintain its services even during extreme scenarios.
Software Sovereignty: The home country can choose the technical stack on which it operates, without depending on the provider’s software.
This sovereignty approach through the data embassy model contrasts with the sovereignty requirements blossoming in several countries in Europe and beyond, mostly based on the strict requirement for data residency. The two implementations do not address the same risks but share the same goal of preserving digital sovereignty. For example, some countries in Eastern Europe have regulations requiring sensitive data to be stored in their national territory. Since the beginning of the war in Ukraine, their risk model has radically changed.
The mandatory storage of data within strict geographical boundaries may be a hurdle to maintain the security level and the resilience of data and services. At Google Cloud, we support data residency controls for customers who need to keep data in a specific location for compliance or reliability reasons.
However, for customers who need to back up or replicate data outside the region, we support additional controls including robust cryptography and customer control over the encryption keys. Using Google Cloud’s innovative customer-managed external key management (EKM) and key access justification (KAJ) tools, customers have ultimate control over access to their data, regardless of where it is geographically located. This allows our customers to enforce strict access controls without sacrificing the security and resilience benefits of a global cloud infrastructure.
These concepts can actually be implemented in a complementary fashion. We have observed during the last decade how cloud technologies have remodeled approaches to business continuity. The same evolution may occur in the following years in sovereignty.
Data embassies create a new approach to securing data by leveraging diplomatic agreements bolstered by cloud technology solutions. We expect that the concept of digital embassies will grow organically over time, as different organizations and their host countries work out legal details. We expect more organizations to join the digital embassy movement, partnering with a trusted host country to develop the legal framework required to become trusted hosts.
Of course, a defensive posture for cybersecurity risk is not built upon one single measure but on multiple capabilities comping together to provide defense in depth. Data embassies may find their place in a resilience strategy within a definition of sovereignty that embraces a mixed ecology of solutions to facilitate European government and citizen control over their data. Embassies and robust customer-controlled encryption offer a sovereign solution that can be achieved without the trade-offs associated with turning away from global cloud infrastructure. These solutions will form part of the toolkit providing alternatives to nation states for whom highly localized storage does not achieve continuity nor resilience.
To conclude, the drive for more sovereignty, and in particular data sovereignty, is here to stay. As cloud computing evolves, and as geopolitical frictions show no sign of subsiding, digital embassies or similar approaches to citizen data are expected to mature and perhaps become mainstream in the coming years.
To learn more about data embassies, please contact the Google Cybersecurity Action Team and read our digital sovereignty announcements from this year’s Google Cloud Next as well as listen to our Demystify Data Sovereignty and Sovereign Cloud podcast.