Brussels – In a move signaling a growing emphasis on data sovereignty within the European Union, the Belgian Federal Public Service (SPF) Mobility and Transport is implementing a new cloud security model designed to ensure greater federal control over sensitive mobility data. The initiative, launched in partnership with Inetum and Microsoft, centers around the use of customer-managed encryption keys, a critical step towards bolstering data protection in an increasingly complex digital landscape.
The SPF Mobility and Transport manages a substantial amount of data across various cloud platforms, including Microsoft Azure and Microsoft 365. Recognizing the need to safeguard this information from external access and maintain compliance with evolving data privacy regulations, the department sought a solution that would allow them to retain control over the encryption keys used to protect their most critical data assets. This concern is part of a broader trend across Europe, as governments and organizations grapple with the implications of relying on third-party cloud providers for essential services. The project aims to establish a framework that can be replicated by other federal services operating in similar cloud environments.
Securing Data with Customer-Managed Keys
At the heart of this new approach lies Azure Managed HSM (Hardware Security Module), a cloud service that enables organizations to generate and manage their own encryption keys. Traditionally, cloud providers manage these keys on behalf of their customers. However, with customer-managed keys, the SPF Mobility and Transport now creates, controls, and maintains its own encryption keys, effectively removing the cloud provider’s ability to access the data without authorization from the Belgian federal government. This shift is a significant departure from conventional cloud security models and represents a proactive step towards achieving true data sovereignty. Inetum, a key partner in the project, specializes in Microsoft Azure solutions and has been instrumental in implementing this new security architecture.
“For us, it was essential to adopt a solution that goes beyond technical security and actually protects our sovereignty,” explained Stijn Fouquaert, ICT Infrastructure manager at SPF Mobility and Transport, in a press statement. “Governments and European organizations need digital services that leave no ambiguity about the control of data, keys, and access rights. This approach proves that federal services can use the public cloud while retaining control of sensitive data.”
The Rise of Cloud Sovereignty in Europe
The SPF Mobility and Transport’s initiative is part of a larger movement towards cloud sovereignty gaining momentum across Europe. Concerns about data privacy, geopolitical risks, and the potential for foreign governments to access sensitive information have fueled the demand for greater control over data stored in the cloud. The European Union has been actively promoting policies aimed at strengthening data protection and fostering a more secure and resilient digital infrastructure. This includes initiatives like the General Data Protection Regulation (GDPR) and the proposed Data Governance Act, which seek to establish a framework for trustworthy data sharing and processing. Recent reports indicate that several other European government agencies are exploring similar approaches to enhance their cloud security posture.
Understanding Azure Managed HSM
Azure Managed HSM provides a fully managed, highly available, and scalable hardware security module service. HSMs are dedicated hardware devices designed to securely store and manage cryptographic keys. By leveraging Azure Managed HSM, the SPF Mobility and Transport benefits from the security and compliance features of a dedicated HSM without the operational overhead of managing the hardware itself. The service is certified to meet various industry standards, including FIPS 140-2 Level 3, ensuring a high level of security and trustworthiness. This allows the Belgian government to meet stringent regulatory requirements and maintain the confidentiality, integrity, and availability of its data.
Implications for Other Federal Services
A key aspect of this project is its scalability and potential for replication across other Belgian federal services. The SPF Mobility and Transport has intentionally developed this configuration as a model that can be shared with other government departments operating in similar cloud environments. This standardized approach will streamline the implementation of cloud security best practices and reduce the risk of fragmentation and inconsistencies. The ability to leverage a common framework will also facilitate collaboration and information sharing between different agencies, enhancing overall security and efficiency.
Inetum’s role extends beyond the initial implementation. The company provides ongoing support and managed services to ensure the continued security and performance of the solution. The collaboration between Inetum and the SPF Mobility and Transport demonstrates a growing trend of public-private partnerships aimed at addressing complex cybersecurity challenges. Microsoft, as a strategic partner, provides the underlying cloud infrastructure and technology expertise necessary to support this initiative.
What are “Customer Managed Keys?”
Customer Managed Keys (CMK) represent a fundamental shift in cloud security responsibility. Instead of relying on the cloud provider to generate and manage encryption keys, CMK allows organizations to maintain complete control over their cryptographic material. This control extends to key generation, storage, rotation, and revocation. By using CMK, organizations can significantly reduce the risk of unauthorized access to their data and ensure compliance with stringent data privacy regulations. The implementation of CMK requires careful planning and execution, as it introduces additional complexity to the key management process. However, the benefits in terms of security and control often outweigh the challenges.
The SPF Mobility and Transport’s adoption of customer-managed keys is a significant step towards establishing a more secure and sovereign cloud environment. This initiative sets a precedent for other government agencies and organizations seeking to protect their sensitive data in the cloud. As cloud adoption continues to grow, the demand for robust data sovereignty solutions will only increase, driving further innovation in this critical area of cybersecurity.
The next step for the SPF Mobility and Transport involves ongoing monitoring and refinement of the new security model. Officials have indicated they will be closely evaluating the performance and effectiveness of the solution and making adjustments as needed. Further updates on the project’s progress are expected in the coming months. We encourage readers to share their thoughts and experiences with cloud security in the comments below.