Taking Back Digital Control
By: Christiaan Ottow, CTO, and Rob Berends, Sr. Business Consultant
HuFiCon Management Memo:
Journey with the CISO
A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.
The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration.
Inge van der Beijl
Director Innovation
Practical Steps EU Businesses Can Take to Gain More Digital Autonomy
What can be done about Europe’s reliance on foreign technology suppliers, including US hyperscalers? Many security leaders today will say this dependence is an operational concern. As we laid out in our previous blog on what digital autonomy and sovereignty mean for European organisations, it’s more than that. The threats to digital autonomy in Europe are strategic risks requiring an immediate, structured response.
In that case, surely the next step is to take action. But which action and how? Should we just backup everything in the EU or home country? Should we move fully away from US hyperscalers and SaaS-providers? Are there even valid alternatives? And what about all our other technology, like our laptops, mobile phones, servers, firewalls? Since most of them originate from US companies and run US operating systems, how long will they work if sanctions are imposed?
To address these challenges, we developed a practical, step-by-step process. The bad news is, we don’t have European alternatives to all the US cloud solutions. The good news is, dealing with this situation is just old-fashioned risk treatment combined with pragmatism.
At a Glance: Threats to Digital Autonomy in the EU
- Service Disruption – Loss of data or business continuity if a provider halts services or restricts access.
- Data Sovereignty Risks – Exposure to foreign government access to data stored on vendor systems.
- Reputational Impact – Negative public perception from continued reliance on US hyperscalers.
- Vendor Lock-In – Limited cost control and flexibility due to dependency on a single provider.
Step 1: Understand Your Data and Dependencies
Before you can really take action, you should know where to start, especially in complicated IT landscapes. Start with your core business processes and do the following:
- Identify your data: Identify all data you store and process, its level of sensitivity, and where it is currently located.
- Map your technology stack: Create a diagram of the IT infrastructure supporting your business processes, including SaaS (Software as a Service) providers, cloud platforms (PaaS & IaaS), and internal systems. You might need to start at business processes to get an accurate map.
- Identify critical data flows: Determine how the data moves through your systems. This helps prioritise what needs to be protected first.
Possible Challenges
This first step is a foundational one you should take regardless of specific risks, because it helps you mitigate many other risks as well. And, while it sounds simple, it's often the hardest. It requires a thorough process to identify every piece of data, from customer records to internal emails and everything in between. This process is time-consuming and can be a significant logistical challenge, especially for large companies with complex IT ecosystems. Therefore, it is important to start with the core business processes, which will likely introduce the biggest business risk if the data becomes unavailable.
Step 2: Assess your risk
For each of the threats we described in the previous blog, and any other digital autonomy related threats you find relevant, assess the risk it poses to you. How can this threat materialise against your organisation, what would happen if it materialises, and how bad is that? This risk assessment will help you decide where you need to make changes and against which costs.
This risk assessment should follow the format you use for your broader security management. And if you haven’t adopted such an approach yet, various frameworks (e.g. ISO27005, the NIST RMF or FAIR) are great resources. But even less extensive, just asking the question, “What would happen to my business process if this application, data or service is not available anymore?” can already give a very clear idea on how to prioritise processes, suppliers and assets.
Step 3: Set your ambition
With the risks in mind, think about what you want your digital autonomy to look like ideally. If the products and supplier existed, where would you like your data and services to be hosted? What level of control would you have?
Use the map from step one and mark which solutions you would want to be hosted by European legal entities and/or in European countries, or what other digital autonomy properties you want them to have (see our previous blog for those). For components in your architecture that you mark in this way, describe the functional and non-functional requirements the component needs to comply with.
Step 4: Explore available options
Based on the desired state from step two, search for solutions that fulfil the functional and non-functional requirements that you formulated in the previous step. It’s most likely that you will find solutions for only a few of those components, and not for the most complex ones (like Microsoft 365).
However, for some classes of components it will be easier to find replacement than for others. Finding a European (entity, hosted) IaaS platform for instance is doable, and the features they offer approach those of the US hyperscalers in the ways that are relevant for most companies. There are some candidates for PaaS but it’s a bit more difficult, and for SaaS it’s most difficult.
Step 5: Implement the options you can
Now that you have some options to replace current solutions or vendors with ones that increase your digital autonomy, it’s time to start moving. In this step you start or plan projects to explore migration to those selected components. For some solutions this might be fairly simple, but the higher up in the cloud stack a solution is and the more connected it becomes to other IT components, the more difficult migration.
Step 6: Find stop-gap measures
After taking the steps that are feasible with the solutions and services available, you’ve moved a bit closer towards your goal in digital autonomy. Chances are, however, that you haven’t reached that goal. Now, it’s time to look at the gap between where you are and where you want to be, what level of risk that brings, and whether you can implement temporary workarounds or partial solutions, or whether you accept the risk.
For the solutions that are not at the desired end-state, what risks does this leave you with? For example, if you haven’t been able to find a replacement for Microsoft 365 for online collaboration in documents, spreadsheets, and presentations. The next-best candidate, Google, doesn’t improve your digital autonomy, and European solutions fall behind in functionality. So, what now?
In this step, look at measures you can take to reduce your risk that aren’t necessarily the things you had in mind when you set your ambition. These can be temporary solutions, alternatives for only a subset of your data or services, and so on. It could also be that you protect against certain risks by having backups of all your data that reside outside of the vendor you are backing up from, so you’ll retain access to those if you get locked out.
Example Case
Consider other possibilities than completely replacing cloud services. One company we assisted in this process decided to keep their on-premises infrastructure alive and even invest in making it more future-proof so that it will last them another three years. During that time they’ll keep their most sensitive data on servers on-premises. After three years, they hope there are more European SaaS options available and they’ll revisit the decision. Another company chose a Europe-based secure cloud storage solution that they use for sensitive documents, instead of Microsoft SharePoint.
Step 7: Rinse and repeat
Now that you’ve done what you can with the currently available solutions and some extra measures where needed, it’s time to shelve this topic. But it’s important that you return to it later, in one year’s time. That’s because the world will have already changed, as will your risks and available solutions. Plan to go through these steps again, updating the map of IT components, data and data flows, reviewing your risks, checking whether there are new solutions available that fit your requirements, and so on.
Then What?
Currently, our situation in Europe is that we can clearly see the threats to our digital autonomy and the possible impact of those threats. However, we don’t yet have the means solve the problem and it will take time for European companies to catch up. In the meantime, we’ll have to live with dependencies.
The steps outlined in this article can help you manage those dependencies in a purposeful way, instead of ignoring the topic because it is “unsolvable” and being surprised later by consequences you didn’t see coming.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.