Advanced authentication, enhanced data security, heightened efficiency and secure scalability are all well-established benefits of PKI, it is widely accepted that a well-tuned PKI environment can be a fundamental foundation across your security estate, acting as a fortress, ensuring nothing undesirable gets in so that nothing of value gets out. However, who has ownership of the keys to that fortress is just as crucial as the fortress itself.
Data sovereignty
Data sovereignty refers to the idea that data, such as intellectual property, financial data, personal information, or in the instance of PKI, digital certificates and public key encryption information is collected or stored in a particular geographic location, such as a specific country or the European Union (EU) and should be subject to the laws of that location.
But exactly what happens to our digital assets and data when they leave our sovereign state can be somewhat confusing from a legislation and policy perspective. It could be argued that you would need a PhD in geopolitics to untangle the many different and ever-changing data protection and handling regulations for each country that your digital assets may or may not travel through. It also does not help that there seems to be different rules for different sectors and many variations of data classifications, this compounded by the threat of hefty fines means that dealing with these challenges can become the proverbial hot potato. To add to this with the very nature of the PKI services we use, the inability to map our data journey presents further legislative and compliance burdens in itself.
Beyond, legislation, policy and fines, there is also the very real threat that your digital assets may end up somewhere where repressive surveillance is the norm and intentions are not always magnanimous. This scenario is bad enough when it’s a specific data set that can be contained but when it is the keys used to protect your encryption estate then the results can be catastrophic.
Building resilience in the PKI Industry
In times of global economic and political turbulence It’s important that the PKI industry builds resilience, to do this, we must see beyond sovereignty as simply a jurisdiction issue that can be worked around and take an entirely different approach, one that views sovereignty and security as the same thing and that understands that having complete control over your data and infrastructure is a fundamental requirement and thus enables autonomy and self-determination.
Within the current PKI vendor market having both sovereignty and self-determination would typically mean an expensive on-premise solution. The alternative being a cloud-based service which will by its very nature guarantees that you sacrifice self – determination, also it’s very probable as there are only a handful of entitles that are managing root certificates, mainly in the US, that you will also sacrifice sovereignly. An uncomfortable truth that is often overlooked is that all PKI certificates will lead back to a root certificate, where that root is located is where your PKI is domiciled.
The Aretiico Vision
At Aretiico our vision is different, we are committed to delivering PKI services that are fit for the challenges of the next 30 years. By championing local sovereignty and self-determination, we're paving the way for a safer, more secure digital future. But that's not all, we also offer a "CA in a box" solution, enabling rapid deployment and accreditation of sovereign CAs in any national or corporate ecosystem. With our comprehensive package of technology, policies, procedures, and legal frameworks, organisations can establish their own accredited infrastructures with ease.