Beyond residency: Engineering sovereignty in the age of shadow IT
"Sovereignty shouldn’t be viewed as a product you buy, but as an approach you embrace."
The cloud is undergoing a renaissance.
While many organisations have long understood its core benefits of providing scalability, security, and cost efficiency, it is only in the era of AI and Machine Learning (ML) that the penny is dropping. That is because it provides the perfect environment for innovation to take place, all at a pace that aligns with an organisation’s needs.
However, all of this could be overshadowed by a new cloud consideration: data sovereignty.
This year, cloud spending is expected to grow over last year's level. Figures from Gartner highlight an increase in sovereign cloud infrastructure spending, for example, by more than a third to $80 billion. The shift to this type of cloud has been largely driven by a desire for environments to store and process data in compliance with strict legal, security, and residency regulations.
Even with hyperscalers rapidly launching sovereign cloud solutions, these efforts are being undermined by a quiet internal threat: Shadow IT. When departments deploy unauthorised systems and tools outside the view of central IT, they don’t just bypass protocols - they leave the backdoor to the business wide open to regulatory risk.
Residency vs. reality: the shadow IT leak
All the time, we see comparisons between an online life vs. reality, where we are each willing to disclose the “picture-perfect” snapshot of a moment in time. This is much the same in our professional lives when it comes to shadow IT.
Increasingly, there is a gap between data residency or sovereignty (i.e., where an organisation’s data sits) and the data reality (i.e., how it is actually used). This can lead to organisations battling with themselves as their data policy doesn’t reflect how and where the data is being used, stored, and protected in practice.
While potentially the result of seemingly innocent actions, such as departments bypassing central IT to activate a new AI or cloud tool, it is easy for such an action to overlook a key compliance or best practice mechanism.
This resulting IT shadow could have major security implications should there be any level of data leak outside the organisation. This is because even the most robust sovereign cloud would be unable to protect data that has been exported to an unmanaged, non-compliant third-party app.
Such a move could not only be operationally, but also reputationally damaging.
The tested backup principle
There is no doubt that following best practice procedures can bring massive improvements to any IT environment - even for organisations that aren't necessarily attempting something so complex. And so, much like the adage, a backup doesn’t exist if it hasn’t been tested; if a compliance policy is not monitored in real-time effectively, it simply won’t exist in the eyes of regulators.
This year, more than ever, organisations must be mindful that if they don’t have automated and detailed reporting on the compliance of their policies, then they don’t have any. This is all the more pertinent as we are on the precipice of the Cyber Security and Resilience Bill gaining Royal Assent, which will expand the scope of regulated entities and increase the reporting obligations of organisations.
They must therefore review their data policies, procedures, and actions being taken by staff to avoid shadow IT undermining wider cloud and sovereign cloud usage. Why? Because ignorance is not a defence - particularly in the operational landscape that exists today. Rather than wait to conduct a post-mortem, organisations must be proactive.
This shift doesn't have to be manual. By adopting a "Shift Left" strategy - in turn automating the detection of non-compliant activities - organisations can address issues at the point of origin, ensuring the environment remains secure without slowing down innovation.
Many have spoken before about the need for organisations to remove any gates or barriers that exist when it comes to IT implementation, towards those of guardrails, whereby rules of engagement are set out. This is much the same when it comes to addressing data sovereignty, where automation is needed at the point of creation to aid control of the environment.
The new currency: control and transparency
That is because, in a volatile business and technical environment, control is the new currency.
We have seen firsthand how, when an organisation deploys some level of automated oversight of cloud systems, it can greatly reduce duplicated work, data, and unmanaged resources. This completely removes a silo tax that might have existed in its place.
Sovereignty shouldn’t be viewed as a product you buy, but as an approach you embrace. When data sovereignty is engineered internally, it closes the gap between high-level policy and low-level automation.
Ultimately, this shifts the CEO mandate from asking, "Where is my data?" to the much more powerful, "How do I prove my data is governed?" Once that shift happens, we will enter a new era of cloud maturity, and that is a very exciting prospect.
James Lucas is CEO of CirrusHQ
