Name: Minimum Viable Sovereignty: Approaching Data Resilience in a Fragmented Geopolitical Landscape
Uploaded: 2026-04-28T11:10:06.308Z
Duration: 33 min 40 s
Description: Minimum Viable Sovereignty: Approaching Data Resilience in a Fragmented Geopolitical Landscape

Transcript for "Minimum Viable Sovereignty: Approaching Data Resilience in a Fragmented Geopolitical Landscape": Thank you for joining us. I know your time is valuable, so we'll make sure that we use it well. My name is Richard Cassidy. I'm a new CSO here at Rubik. And over the next thirty minutes or so, I wanna have what is, for me and a lot of organizations I speak to, a genuinely critical conversation. And it's one that I'm finding myself in more and more, not just at the exec exec level, but at the board level too. And and also the practitioners, those are the co face, those that are making these decisions at each of the business units across all regions. And it's a conversation about sovereignty. And don't think about this as a compliance check spot checkbox. And don't even think of it as a political talking point. It's more of a practical resilience question and one that for many organizations is sitting right at the intersection of operational risk of regulatory obligation, quite frankly, geopolitical reality. And I wanna be direct about something before we get into the slides. When our chief product officer, Annika Gupta, announced Rubrik Security Cloud Sovereign earlier this year, she put it very plainly. For those managing sensitive data, sovereignty isn't optional. It's fundamental. Now the way I see it, most people joining us today already know that, and that's fair to say. But what we're gonna do over the course of this webinar is make it very practical. And before we get into the slides, I'd love to leave you with a question that you hold in mind as we go. If your cloud provider suspended your access tomorrow, could you recover? If geopolitics affected the economics of using specific services or vendors or platforms, could you operate in other ways, fully independently? Could you do that within the time frame your business actually needs? And that's what this question and webinar today is really all about. So without further ado, let's jump into the slides. Now the session title is, at least for the first part, does your data have a passport problem? And that's a question that I've been putting to see service and boards across EMEA for the better part of the last twelve to eighteen months because, actually, it frames something that is surprisingly difficult to answer with good confidence. Most organizations have genuinely got data residency right. The data is local in most cases. It's in country in most cases. The boxes are ticked. And for a long time, that's felt sufficient, hasn't it, for our business? But residency and sovereignty, however, are absolutely not the same thing. Residency tells you where the data sits. Sovereignty tells you who controls the path to recover it and who has access to it in terms of that control path as well. And increasingly, those two things are diverging in ways that create real operational exposure for businesses. Now the three statistics you see on the screen will tell you where the market is heading. Right? 61% of CIOs in Western Europe are already shifting to low cloud providers. 53% expect geopolitical factors to restrict their use of global cloud platforms. And by 2030, not far away, Gartner projects that more than 75 of enterprises outside of The US will have a formal digital sovereignty strategy. Now for me, that last number is the most striking one. It means a significant proportion of organizations are still operating without one, and the risk environment isn't waiting for the strategy to catch up. Your your internal risk compliance teams, the external regulators need you to be ahead of the curve on this. The phrase I use most commonly and one that I would say simply sums up the challenge we're exploring in this webinar is if your recovery plan needed a visa, is it really resilient? And let's talk about why. So there are four forces that have essentially collided, specifically in the last eighteen months to push sovereignty from a concern that we might never have considered, on our key risk registers to one that is firmly on the agenda of our boards of the regulators, of course, national governments across all all of them here and and internationally. So the first is geopolitics, and I don't need to into that too much detail. You only have to look at the news over the past day, twenty to forty eight hours, couple of weeks. You have plenty of data points. But borders are now starting to matter more again than they have in probably most of our lifetimes. And the idea that technology and commerce, exists outside political reality, that's been tested significantly in recent years, and strategic dependency on foreign administered infrastructure is actually now beginning to be reevaluated at national level, not just within the organizations. And 91% of those that were in a particular study, in geopolitically exposed positions have already changed their cloud strategy as a result. Now the second is regulation, and I won't put too much on this because we all know and are very well aware of what regulation drives. But actually across 18 critical sectors, 28,000 plus entities there's a regulatory bar that is moving firmly toward resilience rather than protection alone. And it's good to see that shift. That shift has been, long overdue for many years in terms of regulatory outputs. And the third part is the dependencies. Right? And this is this is actually the force that catches most organizations off guard and in a very consistent way, unfortunately. Most don't have a clean picture of the dependency chains, and every business I've spoken to would fall into this category. I've yet to meet a single business that does have that clean picture. Metadata, you know, flows through, foreign jurisdiction, encryption keys, can be managed in all sorts of different ways, And there's different legal frameworks depending on where the service is that you're accessing. And admin access can also be a bit of a challenge too. So your recovery path tends to run through control planes that you don't often control. And the risk there that should really concern us most in respect of those dependencies is an accumulation of these hidden factors. And right now, they're quiet. They're visible often, and they would appear to be an unremarkable, but then that's only what they are until they aren't. Now the fourth is recovery risk, and 63% of organizations fail to recover critical workloads within seventy two hours after cross border vendor disruption. And, look, this this is not a compliance stat for you to be aware of. It's a reality that we're living in operationally, and very few organizations have genuinely stress tested those particular challenges. So let's look at, the where the market is already moving. Now this is data from respected industry industry analyst think tanks. And I think to wrap it up, because the slide speaks for itself, the way that I see it is that this data confirms that something that many of us have already felt in the conversations we're having internally and with our peers, is that sovereignty is a mainstream shift in how enterprise technology strategy is being shaped. It's not a niche concern, that only sits at the bench of a of a number of highly, of high regulators. It's actually a question that every organization that is listening to this webinar and that you talk to post this webinar should be thinking about. Where do we sit on the curve here? Are we ahead of it? Or are we reacting to it when the pressure arrives? And I would say the latter of that statement is not a place that any organization wants to be. Now residency is not sovereignty. Now this is a slide and a talking point that I return to most often in executive conversations because it's where the gap is pretty evident. And, actually, it's also where most organizations realize that their current posture is probably more exposed than they've assumed. So on the left, you've got residency. Right? Data is stored locally. Physical location is controlled to a large extent. And, you know, that feels real and it matters to our business. Metadata, encryption keys, admin access, however, well, many still flow through foreign jurisdictions, and this means that once the box is ticked, the risk does remain somewhat unresolved. In the middle, and this is where most organizations really do sit today, though many aren't probably aware of it, is the hidden dependency position. So foreign admin access, cross border metadata, a recovery path when you trace it back runs through infrastructure or personnel that exist outside of your jurisdictional control. And look, I don't think you can ever get away from that fact. That's just how the world operates at the moment, but we can understand which types of datasets need the right types of controls, and we'll come on to that later. But that particular exposure isn't visible day to day. It only becomes visible when something goes materially wrong. And by then, unfortunately, you're already in the incident and then on the right of sovereignty. And that's the full picture, isn't it? All components, data, metadata, the control plane operating entirely within your designated boundaries. So you've got complete jurisdictional control. You've got an independent recovery path, and you're managing the keys to the best of your ability throughout. So the 63% failure to recover figure on this line comes from cross border vendor bans. Organizations that had residency but not sovereignty. So when the access path was cut, and we have seen examples of this. Right? It happened to businesses in, the Eastern Bloc from China government, strategy. So you can't use particular regional security vendor tool sets. You can read more about that. I don't wanna go into the details here. It's outside of the scope of this webinar, but it has happened. We've seen a case study of this already. So residency gets you to the starting line, I would say, but sovereignty is what actually protects you when circumstances become genuinely difficult geopolitically. And I'm not gonna give regulators too much of a thrashing here, but I think it's important to mention that a lot of the times I'm having conversations with executives, it they're spending a lot of resource on working through the regulatory requirements, and that's no surprise. We have to do that at, executive level. So whether it's an institute or a PRA, whatever your national regulatory and European wide regulatory or international regulatory framework is, It's the practice for organizations across the year. It's it's standard today. Now both all these frameworks have moved beyond, do you have security controls towards, can you continue to operate when those controls are stressed or in in a wartime scenario? And, critically, can you actually demonstrate that with evidence before the incident occurs rather than after? So there's a lot of focus on regulation that is driving closer towards the sovereignty boundaries as well. And and, actually, the direction from regulators is very, very clear. Don't just prove that you can recover. Prove that the path is under your control. And for organizations that are operating in regulated sectors in EMEA, sovereignty is actually no longer a strategic aspiration, if you like. It's becoming the core compliance requirement. Now I wanna be specific about the pressure points here because the dependency risk is very abstract until you map it against real scenarios that your organization could plausibly fix. So the first scenario is jurisdictional risk. Now under The US Cloud Act, American cloud providers can be compelled to hand over data stored anywhere in the world, including data sitting in European data centers. Now 85% of European cloud infrastructure has significant dependency on providers subject to this type of legal exposure, which means the recovery path itself may be blocked by a jurisdictional conflict that you've actually got no way to anticipate or even control. The other one that we need to consider is vendor lockout. I talked about it just briefly a moment ago. So sudden termination of access due to sanctions or trade restrictions or unilateral provider decisions, whatever they may be. So the compliance window to find an alternative is typically seventy two hours, and 63% of organizations have already failed to recover within that window under those same constraints as I mentioned a little bit earlier. And the third is legal conflict. Right? The regulatory collision between data protection obligations and foreign access requests. Things like cross border legal orders that place you between kind of two jurisdictions, each of which expects compliance, and then you've got metadata ownership disputes that become operationally very significant, when you really least can afford them to. And the fourth is provider dependency. So this is where your recovery part simply isn't independent, and it runs through potentially, foreign channels, foreign control planes, foreign administration infrastructure. When that path is disrupted, there can be no viable alternative. So the point I make here is in almost every executive conversation on this topic is probably this one. Most disaster coverage rules assume that your SaaS provider, your vendors, your toolings will always be available In a real crisis, in a in a global sanction event or a geopolitical escalation, a provider decision could be outside of your control, and the assumptions that they're within control may well fail. And by the time that you discover that it's failed, you're already in the incident. You already have a challenge to overcome. So let's move really into the part of what do we do about it and and where does Rubrik help. So the baseline level of control required to guarantee business continuity regardless of external jurisdictional inference or interference rather is minimum viable softening. And I want to say with that definition, for a moment, because it reframes how you approach sovereignty the way that makes it generally practical, if you stick with it, it'll start to make sense shortly. So this isn't really about achieving perfect absolute control of everything. That is neither practical nor necessary for most organizations. So we have to be clear about this point. It's all it's really about identifying the minimum that the absolute floor below which you cannot drop without compromising your ability to function and recover as an organization. A minimum viable sovereignty links directly to minimum viable business or important business services or minimum viable company, however you define it based upon regulation or internal, compliance strategic notes. So the minimum viable sovereignty phrase is one that resonates a lot with leaders. It's one that's getting board level attention and discussion points. And control doesn't mean rigidity, by the way. It means having the foundations in place to adapt to your requirements on your timeline rather than being forced to react to circumstances dictated by other timelines, other international tensions, or regulatory changes that could affect your infrastructure providers. So minimum viable is a useful frame here because it's honest. Different workloads require different levels of sovereign control, and it makes the problem much more accessible and it turns sovereignty from what I have often thought as a vague aspiration into an operating model that you can build towards and actually measurable for time because it's in those measurements that we know that we've got effectiveness. So what would be the pillars of minimum viable sovereignty? Well, minimum viable sovereignty, the way I see it, rests on on on these four. And they map directly onto the four dimensions of control that really do matter in practice. And these are drawn from real sovereignty requirements that I'm hearing, that Rubrik is hearing from customers across all of the regions, APAC, EMEA, and North And South America. The first is operational control. So what does that mean? Well, that's the authority to determine exactly where and how your data is managed and how it's processed and how it's protected without actually relying on external entities or foreign jurisdictions that could compromise your autonomy. Now this is the foundation. Without this part, every other control is effectively borrowed. The second is jurisdictional control. Now that's where you have the certainty or you should at least that your data, your metadata, and all operations remain under your chosen legal framework, eliminating exposure to foreign regulations or government access requests. Now this is precisely where residency ends and the whole sovereignty discussion begins. Now the third is recovery control. That's the assurance that you can actually restore operations on your terms. We're using your infrastructure or the infrastructure that you you you pay service to access without dependencies on external services that may be unavailable, could be compromised, or subject to geopolitical pressure during, the international or national crisis. Now in my experience, this is the pillar that most organizations discover they're missing, and they actually put it to the test. And the fourth one is architectural control, and that's the independence to make technology decisions based solely on your requirements and on your risk tolerance. So free from constraints imposed by vendor ecosystems or hyperscaler dependencies. And this is actually what makes sovereignty very sustainable over time because as your requirements evolve, the virtual landscape just develop, this is where you're going to need that flexibility. So altogether, these four pillars give us, you, the industry an honest picture of where we are today and actually a real viable framework for closing the gaps that actually matters to our businesses. Now we talk about minimum viable sovereignty, but what actually needs sovereignty? And I've alluded to it earlier in the webinar. Not everything in your state needs the same level of sovereign control. And trying to apply maximum sovereignty uniformly is just impractical, and it is wholly unnecessary. What matters is tiering your state correctly and actually being honest about where each workload actually sits. So let's go into that. So so at the top of that framework would be the what we would say the crown jewels. So these are your systems, your core data, and the recovery parts where failures will materially damage your enterprise. Complete jurisdiction control would exist here as well, so zero external dependency. Right? Or 100% sovereign. These are nonnegotiable and the the and and the controls around them should reflect that designation without compromise. That's typically where we want sovereignty, which within the crown jewels. But, again, not all crown jewel data needs to be truly sovereign in most most cases. It all depends on the legal regulatory framework that you're operating in and what the business expects. But I talked about regulatory. Well, let's talk about that. So regulatory workloads. So this is where sector obligations, legal exposure, public trust requirements raises the control threshold significantly. So 85% self control with very limited and well understood dependency is where it kind of exists at the moment. The regulated workloads are ones that we do need some level of control over in terms of where the data sits, who controls it, who accesses it, and it needs to have flexibility on where it can recover to in the crisis scenario. And then you've got business critical systems that sit below that, and this is where continuity matters more than most. But the tolerance for control dependency, that might be slightly different. So here, we'd say 70% sovereign control is a good working benchmark. And then you have general workloads, sort of that that rounds out the estate really. Standard systems where sovereignty requirements is lower and nonexistent, and and you take a more balanced position, which is kind of acceptable. So the question I put to organizations when you're working through this exercise is, have you mapped your state against this hierarchy? Do you actually know which workloads are your crown jewels, your your critical business services systems, your minimum viable company elements? And do the sovereignty controls around them match that designation? And do you need the required levels of sovereignty that you think you need? And then if you do think you need, then why? You've got you've got to trust but verify and question the process as you go. Now in my experience, most organizations know instinctively what their credentials are. The challenge is that the controls around them don't often tend to reflect that. So what does good look like in terms of sovereignty? Well, in practice, and and this is what Roovid does deliver for organizations moving towards genuine sovereignty, the first capability is control and control beyond residency. So all components. Right? Your data, your metadata, the control plane, operating within your designated boundaries with no foreign dependencies. And this extends to threat detection as well. So Rubrik's sovereign compatible threat detection capability, including analytics, threat hunting, ultimate anomaly, detection identification, and other features that operates entirely within your environment, protecting advanced, advanced protection across all of the workloads that are required without the sovereignty compromise that comes from sending telemetry to foreign data centers or data centers that aren't within jurisdictional control points that you need to have them in. And advanced security, complete jurisdictional control sorry. Advanced security and complete jurisdictional control are not the trade off. You don't have to make that trade. The second capability is immutable recovery. Now mutable immutable backups covering all workloads across on premise, cloud, SaaS environments, you might think that's not easy to achieve, but actually it is. And it's one of the core things that Rubrik has been doing for a very long time because you need immutability that holds even when adversaries gain elevated access to environments. And this really does matter because the threat isn't only from external attackers. Right? You can think think about compromised admin accounts inside the threats. These can all operate with with with elevated privileges, and the architecture needs to hold against those scenarios as well. And final part is encryption and integrity validation, making sure this is built throughout that particular phase of usability. Now these reflect what Rubrik's architecture is genuinely designed to deliver today and designed to deliver without requiring you to rebuild your environment from scratch. Our goal is to meet organizations where they are and provide a practical pathway to sovereignty, not not a theoretical one. So before I get into the detail of this slide, one concern that I hear consistently when organizations explore sovereignty options is the assumption that genuine sovereign control requires massive architectural change. Complete bespoke build, multi year programs, significant disruption to current operations whilst we transition to the sovereignty capabilities. That's not true and doesn't need to be the case. I'm sure there are some vendors that will tell you that. Rubik's approach is deliberately designed to challenge that assumption. And the way I frame it to customers is this, organization shouldn't have to choose between sovereignty, security, and operational efficiency. Modern architecture should deliver all three, and that's where Rubik's Security Cloud Sovereign was built. It's it's it's built entirely that principle to allow you to adopt the levels of sovereignty control that you need across the workload you need them in and on. Now at the foundational level, let's talk about this a little bit more technically. Rubik's sovereign, Rubik's security sovereign cloud can be is as a fully managed SaaS offer, provides standard regional data residency controls. A very practical and immediate starting point for organizations beginning their sovereignty journey. Now for elevated control, a partner operated model would provide, a lot more functionality where you can have more local management, more isolated control planes within jurisdictions, delivering managed services with significantly higher sovereign assurance for highly regulated or highly sensitive workloads. And for those crowns you workloads, for those ones that are absolutely critical to the core of your business and that need the highest levels of sovereignty control, so things like highly classified data, national security environments, or situations requiring maximum autonomy, well, you can have your own hosted deployment model, which provides complete physical control of the infrastructure managed entirely by you or your business. And the reason that we built our sovereignty story around that spectrum was quite intentional actually because sovereign sovereignty isn't binary. And at Rubrik, we give the ability to apply the right level of sovereign control to each tier of your state and to be able to adapt that as your state grows and changes all without sacrificing the core cyber resilience capabilities that will ultimately protect your business when things go wrong. So to close out, let me leave you with a challenge, and and I mean that genuinely. And this isn't a rhetoric motion. It's really a practical prompt. Stop guessing. Stop governing. Right? Sovereignty is no longer something that you can reasonably defer to next year's roadmap to let's see how the market develops or what's happening in the world. The rate environment is already advancing and hardening here. The geopolitical landscape is significantly unpredictable in the current times and will continue to be like that for the foreseeable future. And even the market data that we discussed as part of this webinar really tells us very clearly that organizations without a sovereignty strategy are already behind the curve, behind their peers, and not in a place the market wants them to be. And not just from a range perspective, but from a consumer perspective as well. And the good news is that this is a problem you can solve. One, you can begin addressing with concrete practical steps and, two, something that you can take viable actions on, And three, one that doesn't require a multi year transformational program that is going to cost significant expenditure in time to get you to the right posture level. So there are three actions I'd love to leave you with and for you to take away directly from today's webinar. So the first one is define your minimum viable sovereignty baseline. What is that to you? What controls are required for each workload type in your state? Look. You can't govern what you haven't defined, so you've gotta start with your crown jewels and work outward from there. The second one is test your recovery assumptions and not the assumptions in your disaster recovery documentation or legacy business continuity plans. But not the assumptions on a technology platform you may have acquired or built, you know, that's that's several years old and isn't really a resilient platform. It's just a recovery tool. You've you've really got to think about the actual assumptions under stress, and those include your restriction and vendor constraints as well. And I suppose the specific question to ask would be if my primary provider's access was unavailable for my SaaS tools, my my my business tools, whatever it is that your business runs and how it operates. If they were no longer available, what would actually happen? Does resilience work in the way that it needs to work? And the third point here is do you audit the dependencies you rely on across your SaaS providers, your vendors, your tool search, your third party providers as well? Let's not forget them. Map the control planes, the metadata flows, the management paths, find those hidden dependencies, please, before the regulator or a geopolitical that finds them for you. So to leave you with, really what to do next, engage with Rubrik for an assessment around this point of sovereignty. We will provide a genuine honest assessment of the current posture, where the gaps are, specifically, what architecture you can build to close them across your environment. Now for me personally, if what we've discussed today has resonated and if you're sitting here thinking, I'm not certain we actually have this right, then that's precisely the conversation that we at Rubik want to have with you. Do reach out directly, and go to Rubik's website or to your local teams. We would be too happy to help you on this journey and to understand much better how to achieve the minimum viable sovereignty you need. Thank you for joining us today. I genuinely appreciate your time, and I really look forward to continuing the conversation with you.