0:00:01.7 Max Havey: Hello and welcome to another edition of Security Visionaries, a podcast all about the world of cyber, data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today we're talking about data sovereignty with our guest Michael Dickerson. Michael is CEO for TSC Global, as well as CEO and founder of Dickerson Digital, an indigenous IT provider focused on launching and securing one of Australia's first indigenous sovereign clouds. Michael, welcome to the podcast.
0:00:29.9 Michael Dickerson: Thanks, Max. Pleasure to be here.
0:00:33.5 Max Havey: Absolutely. So just to kick things off here, can you take us through what exactly data sovereignty is?
0:00:39.0 Michael Dickerson: It's an interesting term. I think a lot of public cloud vendors tend to blur the lines on what data sovereignty is. Functionally, data sovereignty means that data is controlled and managed under the laws and legislations of the land that it exist in, which is opposed to I think data residency, which is what a lot of public cloud providers like to use as a term for data sovereignty. What that means is, generally with public clouds, the data legislation is normally aligned to the US government and US standards. So when you're coming to places like Australia and servicing indigenous content and indigenous data, it's really important to know where that data lives, who owns that data, and who controls the cultural significance of that data.
0:01:15.6 Max Havey: Well, and with the rise of lots of different sort of data legislation, things like your GDPRs in the EU and such, that has to be another wrinkle in all of that as well.
0:01:23.8 Michael Dickerson: 100%. And how people store and manage that data is critical to obviously self-determination, driving outcomes from poverty, and understanding that is a driving force of the way that indigenous people can take control of their own destinies as they move forward. Data is obviously the largest consumer of anything in the world at the moment as we look. And I think the new terminology is really data is the new oil. I believe that's being seen quite a fair bit.
0:01:49.3 Max Havey: Well, And so could you take us through, I know you mentioned a little bit in your previous answer, but can you tell us a bit about how data sovereignty differs from data residency and sort of are there specific sort of minute differences there that people should keep in mind?
0:02:02.6 Michael Dickerson: Yes. Generally it comes down to who actually owns and builds those clouds. So generally a company has to be within a country owned and managed by a citizen or a service of that country, meaning that the company itself is established and under only the jurisdiction and the laws of that country. Why is that important when you start to look at things like national security means how you're storing and managing citizen data from health infrastructure through to personal identifying information around financial institutions and items that are critical to maintaining citizens' engagement and services with government. How do they manage and maintain that data to a standard that means that it's only gonna be operated and controlled by the government of that land? Whereas data residency is more about where data is located rather than controlled. So data residency means that generally speaking, it's stored where possible in your country.
0:02:52.7 Michael Dickerson: Now, if you have a look, I think there's a lot of legislative changes and items going through with public cloud providers in the UK at the moment around things like Microsoft Cloud and other public cloud providers around where they store and manage things like Office 365 or Google Docs or those items that it's actually no guarantee is given that it will maintain and be stored in country. So generally, when you look at the differences between residency and sovereignty, sovereignty guarantees that data will always remain within the country. Residency means that its best effort to stay within country, whereas they generally will never give a guarantee around the location of said data.
0:03:33.2 Max Havey: I like that sort of sovereignty is sort of the guarantee versus residency is just the best place it could potentially be.
0:03:38.8 Michael Dickerson: Yes, 100%.
0:03:39.2 Max Havey: Now that we sort of have that context in mind here, can you tell me a bit about the project that Dickerson Digital is taking on in building an indigenous sovereign cloud in Australia? Can you tell me about what that entails and how that came about?
0:03:50.9 Michael Dickerson: Definitely. So there's a lot of items that led to that process around not just data sovereignty from a security standpoint, from a government standpoint, and how we manage and store that identifying information, but when we start to look at the cultural change that's going through with self-determination, really being driven by indigenous populations around how do we manage and maintain engagement to governments, but also maintain control of those cultural assets. If we start to look at Australia having the longest living culture on earth, uninterrupted about 65,000 years of continuous culture, you have a huge amount of data that exists and information around culture, artwork, services, traditional values and infrastructure. Now, when you have items such as legislation that exist in other countries like cloud services acts and patriot acts and identifying information around what means for data storage and what that means to how people can access and who owns that data, should it be deemed necessary to control that, it's now becoming reflective on indigenous populations to understand where that data lives for self-determination.
0:04:56.7 Michael Dickerson: And we keep coming back to that self-determination. Is that the way to drive information out outbound generally, we've had companies come in and do surveys, locational analysis on items, and then charge indigenous populations to access that data. So the data doesn't belong to them even though it's about them. So what we're trying to shift and change is the view that indigenous people should hold their own data. They should control their own destiny, verify their own information, and monetize that information, not be monetized upon. It's a strategic shift, I would believe in the way that people are trying to engage indigenous populations. It's also a way to take people, when I keep referencing back out of poverty, if you are always being used as a resource rather than the resources gaining monetary outcomes, you're always gonna be on the receiving end of requirements to have government interventions or government engagement.
0:05:46.8 Michael Dickerson: So how do we move away from that is by giving back control of these data and these data assets, monetizing those assets for community to be able to drive wealth and engagement for their local populations and services as they try to move forward into modern society. So bridging that gap, which is a big thing around what indigenous sovereign cloud infrastructure in Australia was sort of came about. There's a huge movement that's being led out of Australia and New Zealand around indigenous data sovereignty. It's being run by Maori and aboriginal groups, and it's been a driving force since about 2017. But technically all we've been doing is going through I guess philosophical viewpoints about how we do data sovereignty. It's always been a view of let's create a study, let's analyze what that looks like. Let's go to traditional players. We've always had external sources coming to us saying, this is how you should work and this is how you should review your information, rather than engaging the local populations on how they want to do things. I think that's the paradigm shift that we're trying to force or trying to push through, is that that take on allowing people to control their own destiny. And I don't believe it's just an indigenous perspective that will lead this. I think it's a global perspective that needs to be led from within countries to how do they take control of their own citizens' information.
0:07:09.7 Max Havey: Absolutely. So especially for like an indigenous perspective, it's moving beyond a place of feeling exploited and moving that into a way that it's beneficial in helping communities grow with that data and use that for good, for lack of a better term there.
0:07:22.4 Michael Dickerson: Definitely. And self-fulfilling too. Being able to drive your own destiny instead of having your destiny in other people's hands.
0:07:29.6 Max Havey: Absolutely. And so as you and others that are in this movement are kind of taking this out of just philosophical conversation, what does it entail to make something like this a reality?
0:07:39.3 Michael Dickerson: A lot of goodwill from a lot of friends. I joke about that, but we've had some fantastic inputs from public cloud providers, believe it or not who are also have this effect that there needs to be a happy medium between those. And we've had great inputs from the likes of Microsoft and some other, the other cloud providers like and service providers like Netskope and a few of the other ones that have really lent in to say, how do we ensure that we can be part of the journey whilst not trying to be part of the exploitation? And I think there's a lot of movement around from the public cloud providers to also assist in that process, but it takes a lot of hard work. I guess I would suggest that a lot of capital will as well. So we've been able to self-fund the entire process.
0:08:23.4 Michael Dickerson: So we haven't had government engagement, which has been an interesting process to go through, which I think a lot of these processes are. Then we've also had a lot of engagement from industry experts in assisting us in what these goals would meet from not only an indigenous perspective, but how do you take on national standards and national security measures to set a new standard around the way that data sovereignty should be held. Some cloud providers are trying to determine a new definition for the term data sovereignty when they can't actually be sovereign.
0:08:53.2 Max Havey: Speaking about Australia specifically, are there specific national standards around data security that you need to keep in mind when it comes to building a sovereign cloud like this?
0:09:03.4 Michael Dickerson: Yes, and I think they're being adopted quite often, but there are definitely standards that have come out around what data should be deemed national standards and national security. I think there seems to be a big push on how do we define that information correctly, which is a fantastic concept and I know a lot of countries are not quite at that point yet, and they're looking to start that process. But Australia's been looking at this for quite a number of years. The only issue is the practical application, and that's always been the difference between a philosophical viewpoint about how we should be doing things and then practically taking steps to do them. It's always seen as well as a cost inhibitor to drive the difference between a public cloud version as well as a start a sovereign version of cloud infrastructure.
0:09:48.0 Michael Dickerson: And I believe that there's a happy medium around how do we maximize the potential of public cloud anonymizing data sets, managing information that goes so pairing public cloud with sovereign cloud to work as an intuitive cloud as a single cloud platform, which we've been able to establish and work with Microsoft on doing. Bring that best of public cloud, but anonymized data sets through AI driven adoption and information that can be driven at big data assets, but allowing you to maintain your information in a secure, sovereign manner. That means you're getting roughly about 80, 85% of what a public cloud can give you, but you still need to leverage scalability for certain items. And so there needs to be a happy medium around what sovereign information is required to be stored versus what we need to sort of enhance the entire process of community.
0:10:42.2 Max Havey: Well, and talking about that sort of balance and keeping those multiple thoughts in line around public cloud and sovereign cloud, how do you balance the need to partner with foreign vendors and service providers when it comes to building a project like this?
0:10:56.9 Michael Dickerson: Well, I think the honest truth is we don't manufacture a lot of things in Australia anymore. I think we're not the only country, but working with foreign vendors has allowed us to have the breadth and scale, especially with some of the US companies that have lent in to the process. Having that ability to work with people who have done this at scale and implemented national standards across many different countries has sort of allowed us to have a broader experience around when we're deploying and managing a sovereign piece of infrastructure rather than trying to build something bespoke. How do we work with those vendors to build something that meets the requirements of what our indigenous populations or our national standards need to be or be applied to, whilst also functioning inside of that scalable solution. So where a lot of that hard work has been delivered by these massive global companies, but they also realize that they need to work with local companies to establish true social outcomes and citizen engagement.
0:11:56.2 Michael Dickerson: And that's been a happy medium for us is that we've led the change. So it hasn't been led by those, I guess, those large vendors. We've defined what our requirements were, we defined what the standards needed to be met, and then we worked with our engineering teams and the engineering teams of those vendors to say, how does it all align properly to what these standards mean? And then what are we functionally trying to give back to community as part of the process? So once we stand up this sovereign cloud into a certain scalable solutions, that's where the planning came in. How do we stand that up to a certain scalable solution and then work with local communities to have access to that? Because a lot of the inability for startups or indigenous groups across Australia is being access to capital. It's been a number one issue.
0:12:43.3 Michael Dickerson: How do they get access to compute infrastructure and services that sit across those boundaries? So there seems to be a lot of issues around paying for cloud services, paying for infrastructure services, capital to start to invest from understanding how to secure that data, manage that data. The shared security models that public clouds offer is a real big risk for a lot of indigenous populations. I don't believe that they understand what that shared security model actually means. And I think there's this gray area that exists, which also opens up for exploitation. And I don't mean from a public cloud provider all that, but we're talking about external actors. We're talking about people looking to monetize information as it goes. And so we're not just talking national or state-based actors, we're talking about criminal enterprises and services that come through, which is why the security standards that marry up to a sovereign cloud is imperative.
0:13:40.0 Michael Dickerson: So we take away that guesswork in a sovereign cloud. So we take away that information, we take away those feature sets and we say, this is what a secure sovereign cloud looks like. We utilize a lot of the public cloud standards as well as the sovereign cloud infrastructure standards that would develop people like VMware have developed these standards and then applying them to what we are building. So no standard is perfect, we'll be honest, but it gives us a foundation to work with our partners, especially in a security world which allow us to maintain that access. How do we control real time information feeds that come back and forth? And when we're working with those smaller organizations around sovereign pieces of infrastructure, what does that mean from a standup perspective and how do we engage them properly to make them at least understand what that exposure is and then how they can mitigate that risk? Because you're never gonna completely remove a risk in cybersecurity. It's more about mitigating that risk and understanding. So visibility is the key. How do we analyze and get visible information real time to make real world decisions?
0:14:45.8 Max Havey: For sure. The kind of thing that feels like good cyber hygiene comes in handy for a situation like this, teaching folks to have good cyber hygiene alongside helping build this cloud, they go together hand in hand.
0:14:58.4 Michael Dickerson: Definitely. And I think that's the fundamental issue with startups, I guess across the world. We look to scale at speed rather than looking from a secure standpoint. In Australia, I think it's 87% of all businesses are considered SME. So when you have such a large population of SME businesses or engagement businesses and only very small amount of large corporates, we tend to require all of our businesses to have a standard of a corporate with a budget of an SME. So how do we marry that happy medium, work with our vendors to do things at consumption based services instead of at scale? So it moves to things like SaaS based platforms and infrastructure. They've always been seen as a great point. But when you start to look at sovereign cloud infrastructure versus public cloud, you actually own your own network into these clouds. You're not having things like egress costs and service costs and restoration costs, though this is your cloud. So there's a lot better security around what that pricing is gonna look like longer term instead of what you could classify as bill shop.
0:16:01.8 Max Havey: Definitely. And it's the kind of security that sort of drives that point home to just how important that data is. And I was talking to friends of mine who are kind of flip about what data of theirs is out in the world and in a point where you're talking about data being exploited and everything that can be considered data for like indigenous folks in Australia. It's so many different things that you want to be protective of, that you want to have good cyber hygiene around it.
0:16:23.2 Michael Dickerson: Yeah, definitely. And managing that cultural data's critical. We look at the way that cultural practices have lived across different nations, but across Australia with 65,000 years of history, there's a huge amount of traditional knowledge and services that needs to be protected. How do we manage that traditional knowledge? But how do we give that power back to the communities and the national groups that live across the different nations? 'Cause we are, as an aboriginal group, many different nations that make up Australia. So how do you then work inside with those cultural practices? It's also something that has to come from within the change from within, we call it. So it has to be led from within, adopted from within, and then moved to that next level of engagement with government as well as these other external vendors. We've been able to bridge that because having worked in the industry for 25 plus years, most of our people we've had that experience of big vendor engagement, big service engagement.
0:17:21.6 Michael Dickerson: Working with governments around some less than secure platforms, I think can be pretty seen by the amount of data breaches that we have that lacks adoption of security and security as you would say and mentioned before security hygiene. It's not always been the best practice of parties to maintain and manage that data. And so that's where we fundamentally started when we wanted to talk about in building an indigenous sovereign cloud. What does that mean from an indigenous standpoint, having indigenous participation in design, having indigenous participation in management, not just looking and sticking a badge on it, but actually having a pathway for the next generation as well to come in to being able to have the same exposure to the same public cloud or the same security vendors and the same global monolith that we've had exposure to through our time working in IT.
0:18:13.1 Max Havey: In a similar vein here, beyond just the issue that you pointed out around cybersecurity hygiene, what are some other challenges that come with a project like this beyond security? What is the biggest challenge that you're facing in a project like this?
0:18:27.5 Michael Dickerson: Public perception. Yeah. If that makes sense. It's mostly around the way that indigenous people are perceived to exist within modern engagement. We tend to utilize the term tokenistic engagement rather than meaningful. What does that mean? Is that skepticism has always been found when you're talking about indigenous deploying or managing high end secure or infrastructure based services. There's a lot of comments that are made around trusting indigenous parties with this sort of information and services. So it's more around perception and driving that public perception differently. I think it's also the traditional ways that people have purchased these services looking at long-winded panel arrangements or engagement arrangements that tend to restrict adoption of new services and platforms. So if we look at the traditional way that IT has been engaged, and I'm speaking specifically about Australia, pushing everybody to operate through panel arrangements that don't really adopt or change in a fast manner 'cause Government doesn't move. I guess the adoption life cycle of a lot of government if we talk secure government, we tend to have 10 year life cycles on projects.
0:19:41.6 Michael Dickerson: And if we have a 10 year lifecycle on a project in IT even when Moore's law was actually true, that was a two year lifecycle. So now I believe they're saying that data and information is changing less than every six months. So if we have 10 year lifecycles in engagement, how are we gonna be able to meet the changing lifecycle and speed at need? Adversaries are acting at this speed, so they're acting and moving at this speed where we tend to have these long-winded government engagement life cycles, these long-winded corporate lifecycle engagements. We run 18 month, two year tender processes that most people don't even understand any longer why they're tendering for something. I'm sure I'm not the first person that's probably complained about this to you, but it tends to be the way that bureaucracy goes around engaging modern technology and services. How does that mean? It's never about the technology supported, which is why we're fortunate to have the support of those global vendors. So the technology is proven technology, it's all about perception about purchasing and moving forward with indigenous engagement and how do we manage and maintain that services.
0:20:48.3 Max Havey: Absolutely. And with that in mind, are there other parts of the world where this kind of data sovereignty is also becoming a trend? Are anywhere else you're seeing similar approaches to data sovereignty, like what you're doing in Australia?
0:21:02.0 Michael Dickerson: Yeah. So we're actually working, there's a global shift happening. So New Zealand is working pretty heavily with that from a Maori perspective, although they're having some dramas with some of the Maori treaty based services at the moment. But they are definitely working towards the data sovereignty and they've been working with aboriginal groups since about 2017 around this. We're driving a lot of this change with our partners in Africa. So we're working quite extensively across different African countries where we're working with in-country participants to how do we define with those guys the means for national and data security and data sovereignty. We're working in central Asian countries around the same piece of information already. So we have projects underway where we're consulting and engaging on this approach in I think four different countries today. And we're working across six to 10 different exposure worlds in different countries, not necessarily at a national level, but sometimes in state-based levels as well around how do they manage data.
0:22:00.3 Michael Dickerson: So when you get into different countries, they have obviously different cultural groups and services that don't align to national borders. That's why we're always hesitant to say that's always being led at a national level because if you start to look at groups within Africa, the massiah, nomadic people, how does that mean data information and security for those groups? It actually possesses an interesting question around sovereignty and what does that mean from a... Is it a national level or is it done at an indigenous level? So we have that problem as well that we're addressing with these different groups. And it has been a fantastic journey and most of the cultures we've engaged with have been very forward leaning around what that means and working with our security vendors, our cloud vendors and service vendors have also supported that journey and saying, how do we also lean into what that process looks like in these regions? Most of these regions have had external influence through government engagements and services that haven't always fostered great engagement with its citizens. Hopefully I'm being politically correct in some of that. I have no doubt you're probably...
0:23:02.2 Max Havey: No. That sounds about right. It seems like a thing that can be kind of heated, intense depending on where you are in the world. Yeah.
0:23:07.7 Michael Dickerson: And definitely, and coming at it from an indigenous led approach, which we've done from Australia, we're sort of seeing as having gone through similar issues in the past. So we have sort of a kinship around what that means for our own destinies, our own leadership and how do we engage across a global marketplace but with reference back to national standards. And I believe that's a shift not just happening in the indigenous space, it's a shift happening on a global basis. So taking back our data, taking back our information, and then making that useful to our citizens has gotta be the leading case of what this needs to be for on a global basis.
0:23:44.8 Max Havey: For sure. These sorts of projects are a rising tide that kind of raises a lot of different ships and has potential in places as you're noting far beyond Australia and just New Zealand. It's something that seems to be part of a larger growing cultural wave.
0:23:58.1 Michael Dickerson: Definitely. And we'll be announcing soon some different sectors that we've been working in a different country. So yes, you can watch this space, but there will definitely be more announcements in the next few weeks.
0:24:09.0 Max Havey: Very exciting. Well, Michael, coming up to the end of my questions here. What lessons can others around the world learn from this sovereign cloud project that you've been working on?
0:24:20.2 Michael Dickerson: The fundamental lesson, I believe, is that data should belong to the citizens that it's being kept on rather than at the whim of large corporates or services. Data is a most important factor of any person. Your own information, your own identity. It's your own sort of control of that information that should be monetized for you, not monetized by other parties. And I think we've seen exposure to this through hacks and services that existed in large corporations that don't necessarily take the standards of security on your own personal information to the standards that you would actually have around your own home. So we make sure our doors are locked, we make sure our windows are locked, we have security, I guess security alarms on our premises, but we're allowing our information to be stored in God knows where and controlled by what standards. And most of these standards are controlled across 900 pages of terms and conditions that effectively state that they don't have any responsibility for the security of your own data. So I think that's probably the biggest lesson is that how do you take back control? And I think nations are starting to look at this on a global basis. How do we gain our own information back, control and monetize the information on ourselves instead of having our information exploited or used by third parties?
0:25:41.1 Max Havey: Absolutely. Well, Michael, I think that does it for questions that I have here. Is there anything further that you'd like to add that we haven't covered off on here yet?
0:25:46.0 Michael Dickerson: I think I've covered off a lot and I think I've lectured a lot too, to be honest.
0:25:51.7 Max Havey: Oh no, man. It's super interesting. I mean, coming from an American perspective, it's always interesting to hear about how folks around the world are operating when it comes to data security and creating sovereign clouds like this. So it's truly so interesting on my end.
0:26:05.8 Michael Dickerson: I think you guys are fortunate because all the cloud vendors are American, so by definition they are sovereign.
0:26:12.5 Max Havey: This is true.
0:26:13.6 Michael Dickerson: So we're fortunate that that's the case, I guess, in America, and I think you guys have a growing tide of it as well from a national perspective of how do we start to maintain our own information and control that. So that's a fantastic, fantastic exposure.
0:26:28.9 Max Havey: Absolutely. Well, Michael, thank you so much for joining us today. This is a great conversation and I really hope everybody else found this as interesting as I did. So thank you so much for coming by.
0:26:36.8 Michael Dickerson: Thanks Max, and thanks for Tony for having me.
0:26:41.2 Max Havey: Absolutely. And you've been listening to the Security Visionaries podcast. I've been your host, Max Havey. And if you enjoyed this episode, share it with a friend and subscribe to Security visionaries on your favorite podcasting platform of choice. There you can listen to our back catalog of episodes and keep an eye out for new ones dropping every month, hosted either by me or my co-host, the wonderful Emily Wearmouth. And with that, we will catch you on the next one.
Why Netskope 
){kind=icon}
