Achieving Tribal Data Sovereignty in the Microsoft Cloud

Tribal Data Sovereignty, or indigenous data sovereignty, is a fundamental right that empowers Indigenous tribes to control the collection, ownership, and use of data related to their lands, people, and resources. It is vital for maintaining self-determination, cultural integrity, and economic independence.

In today’s tech-driven world, ensuring that Tribal Nations have authority over their data has never been more important. Without respect for data sovereignty, several legal issues could arise:

• Sacred cultural knowledge could be misused or exploited without consent
• Resources might be poorly managed by external entities
• Data could be subpoenaed by jurisdictions that do not recognize tribal sovereignty
• Tribes could lose the ability to enforce their own legal standards

This lack of control could result in significant breaches of confidentiality, loss of cultural heritage, and an inability to uphold tribal laws and governance. Such outcomes would ultimately undermine their self-determination and cultural integrity. Data sovereignty allows tribes to protect sacred cultural knowledge, manage resources effectively, and enforce their own legal standards.

Government vs. Commercial Cloud for Data Sovereignty in Modern Workplace Applications

When it comes to digital tools, careful choices are key to safeguarding sovereignty. For tribes using Microsoft’s cloud products like Microsoft 365, there are two main options: Microsoft Government Community Cloud (GCC) or the Microsoft Commercial Cloud.

“It is important to correct the misconception that systems must be physically located on tribal land to be considered sovereign,” stated Bill Barkovic, Director Specialist Modern Workplace from the Microsoft Tribal team. “This is simply incorrect. Microsoft offers sovereign solutions not only for the U.S., but also for many countries worldwide, including tailored solutions for Native American Tribes. We provide specific guidance to ensure your cloud infrastructure within Microsoft meets the same level of compliance, enabling you to achieve your Tribe’s transformational goals.”

When deciding between the Commercial Cloud and the GCC, it’s essential to understand the distinction and make an informed choice. Many organizations believe that GCC offers an inherent security advantage over the Commercial Cloud. However, the decision to select GCC should be rooted in policy and compliance requirements rather than an increase in data security. Our goal for this article is to clarify the differences, debunk common misconceptions, and help tribal organizations choose the best option based on their specific needs.

The GCC is designed to meet specific U.S. government compliance requirements, including those for tribal governments. More importantly, GCC respects the sovereignty of Tribal Nations by recognizing tribes as distinct nations under U.S. law, allowing for greater alignment with tribal self-governance. It provides data residency within U.S. borders and restricts data access to screened U.S. citizens. On the other hand, the Commercial Cloud also offers strong compliance standards but may not meet certain government-specific requirements. Specifically, the Commercial Cloud offering reserves the right to use data centers outside of the continental U.S., which would be a challenge to sovereignty.

Let’s dive deeper into the three key areas to explore when comparing the GCC to the Commercial Cloud: Compliance, Policy and Security.

The Core Differences: Compliance and Policy

Compliance Standards

The Government Community Cloud (GCC) operates under stringent compliance standards tailored to meet the needs of government agencies, tribal governments, and public-sector organizations. These standards ensure high levels of data security (as found across all Microsoft Cloud Solutions), privacy, and regulatory compliance, so government agencies and tribal governments can confidently leverage cloud technologies. The GCC is designed to handle sensitive government data by maintaining controlled access, compliance boundaries, encrypted storage, and rigorous monitoring.

If your Tribal Nation must adhere to strict government compliance mandates, the GCC might be required. The GCC includes certifications such as

• • FedRAMP (Federal Risk and Authorization Management Program)
  • CJIS (Criminal Justice Information Services)
  • IRS 1075 (Internal Revenue Service Publication 1075)
  • HIPAA (Health Insurance Portability and Accountability Act)

Compliance standards for the Commercial Cloud are designed to meet a broad range of industry regulations, ensuring robust security and flexibility for diverse organizational needs. While it may not include the heightened compliance controls of the GCC, the Commercial Cloud offers scalability, cost efficiency, and access to cutting-edge tools and services. A tribe might consider the Commercial Cloud over the GCC if its regulatory needs align with commercial compliance standards, or if it prioritizes broader service options, faster access to new features/applications, and is not concerned with Tribal Data Sovereignty.

Additionally, the Commercial Cloud is compliant with many standards, however, it may not meet certain government-specific regulatory requirements that the GCC is designed to address. Certifications for the Commercial Cloud include:

• • SOC 1/2/3 (System and Organization Controls)
  • ISO 27001 (International Organization for Standardization)
  • HIPAA
  • GDPR (General Data Protection Regulation)

Policy Considerations

Data residency in the GCC is a cornerstone of its compliance framework, ensuring that sensitive government data is stored and processed within the United States. The GCC also enforces robust access controls, as Microsoft restricts employee/contractor system access to screened U.S. citizens located within the country. By maintaining data residency within U.S. borders and aligning with government-specific standards, the GCC provides a secure, reliable environment for federal, state, local, and tribal governments.

The Commercial Cloud prioritizes flexibility, scalability, and rapid innovation to cater to commercial needs by offering global data center locations. While it does not have the same strict data residency policies as GCC, Microsoft still maintains robust access controls and data protection measures.

If your Tribal Nation’s policies are simply focused on ensuring data protection and secure access, but not Data Sovereignty, the Commercial Cloud may meet the necessary requirements. Tribes can choose the Commercial Cloud if their data sensitivity and residency requirements align with its compliance framework, offering a cost-effective and versatile alternative to government-specific cloud environments.

Tribal Nations must weigh these considerations against their operational needs to achieve both compliance and efficiency.

Security Overview

Choosing GCC does not provide additional security over the Commercial Cloud. Both GCC and Commercial environments employ the same foundational security features, tools, and technologies, such as:

• Data Encryption: Both GCC and Commercial Cloud use the same encryption protocols for data at rest and in transit, ensuring that data is always protected.
• Identity and Access Management: Both environments offer Azure Active Directory, multi-factor authentication (MFA), role-based access control (RBAC), and other identity protection mechanisms.
• Cyber Security Protection: Services like Microsoft Defender (office, endpoint, identity and cloud app), and other security tools such as Microsoft Sentinel SIEM are available and function similarly in both environments.
• Security Monitoring: Both environments benefit from Microsoft’s global threat intelligence network, security monitoring, and automated response capabilities.

Microsoft also offers an advanced tool that supports Tribal Data Sovereignty called Microsoft Purview Customer Lockbox, which gives tribes an extra layer of encryption for exclusive control over their information. With this level of encryption, even Microsoft cannot access or view the data without permission, which ensures data is only accessible by the tribe. Barkovic backs this up, stating, “Some people believe having their own encryption key is enough to protect their data. However, for example, this does not prevent Microsoft’s access to your data, since we access that key to send and receive emails as part of your cloud services. Customer Purview Lockbox is the solution that locks us out. Even in the event of resolving data corruption issues for you, we need your approval first before we can access and resolve.”

Microsoft Azure for Data Sovereignty

Since the advent of cloud computing, Tribal customers have encountered challenges in digital transformation due to the need for controls that meet specific sovereign and regional requirements. Azure addresses these concerns with its Microsoft Cloud for Sovereignty solution stack, designed to resolve digital sovereignty issues through both technological and legal protection layers.

Microsoft Cloud for Sovereignty’s approach to data sovereignty includes:

• Customer control over data access
• Policy controls and software-defined guardrails tailored to national requirements
• Encryption to protect the confidentiality of sensitive data
• Transparency into cloud operations and governance provided by Microsoft

Legal Protections

Your data remains your data. Microsoft documents government data requests in the Law Enforcement Request Report, ensuring protection at both cyber and legal levels.

Technological Protections

Azure safeguards data confidentiality whether at rest, in transit, or in use. Technologies like Key Vault allow customers to manage secrets and access keys independently of Microsoft. This is achieved through templates and sovereign architectures, avoiding complex custom-built scenarios.

Azure Government vs. Azure Commercial for Tribes

Azure Government offers specific compliance offerings, such as DOD IL4-5, and can be restricted to US-only. It is FedRAMP High certified and has built-in security from the start.

“Currently, ~85% of Tribes using Azure are on Azure Commercial,” said Mac Quig, Azure Director for Tribal Nations at Microsoft. “We believe this is primarily due to Azure Commercial’s robust security capabilities and compliance offerings, such as FedRAMP High, as well as the ability to deploy sovereign landing zones and leverage a template approach to maximize the benefits of the cloud.” Some commercial features may never be available in the Government Cloud offerings.

Integration with Microsoft 365 and Business Application Clouds

Microsoft 365 and Business Application Clouds are directly synced with specific Azure clouds out of the box. For instance, M365 GCC maps to Azure Commercial, while M365 GCC High maps to Azure Government. Best practices recommend sticking to the mapped cloud, although workarounds exist to use both.

Making an Informed Decision

When deciding between Microsoft’s Government Community Cloud and the Commercial Cloud, we encourage tribes to focus on compliance and policy requirements, rather than security features.

By carefully evaluating their data sovereignty needs and legal obligations, tribal councils can make an informed decision that ensures their data remains protected, their cultural integrity preserved, and their self-determination upheld.

If you have questions on how the Microsoft Cloud can help you achieve data sovereignty while securing critical information, Arctic IT can help. We have years of experience in guiding tribes on their journey to cloud technology adoption. Connect with us today to get the conversation started.

By Phillip Jackson, Chief Information Officer at Arctic IT