In light of Russia’s invasion of Ukraine, cloud service providers are tightening cybersecurity measures to protect clients who are located in and/or do business with Ukraine and other Eastern European countries—underscoring the significance of sovereign clouds to protect sensitive data managed within a country’s critical technology infrastructure.
Sovereign clouds are clouds that are built and operate in a particular country or region. They serve as an intermediary solution between a federal government and public cloud providers, such as Oracle, AWS, Azure, Google Cloud, etc. A sovereign cloud meets a governing body’s legal and ethical standards of data privacy without sacrificing dynamic functionality necessary for the global exchange of goods, services, and information.
The concept of a sovereign cloud is not new. For instance, in 2009 the US federal government migrated its data to a cloud that met rigorous security and legal standards. However, as a few key players have come to dominate the cloud services market ever since, use and abuse of consumer data has become an increasing concern. Governmental bodies have thus responded accordingly by promoting native cloud infrastructure or forcing major vendors to comply with data laws specific to their country or region.
GAIA-X is a popular example of a regional sovereign cloud that covers the European Union. Germany and Spain have also recently launched country-specific sovereign clouds in partnerships with major cloud service vendors.
What Problem Do Sovereign Clouds Solve?
Countries impose data regulations for a variety of reasons, out of national security interests or to protect citizens’ personal data. Yet, an increasing fragmentation of data regulation along nation state boundaries severely hampers enterprises’ international competitiveness. The growing network of red tape in the international digital economy poses formidable financial hurdles and a legal landmine, especially for multinational enterprises in the banking, healthcare, and insurance industries.
To meet these challenges, sovereign clouds bridge the competing needs of governments and enterprises. They allow countries to maintain data sovereignty and enterprises to stay competitive in an interconnected global digital economy.
What Do Sovereign Clouds Do?
Sovereign clouds continuously protect sensitive data and maintain accessibility controls according to data privacy laws of the jurisdiction (i.e., the country or region) where the data resides and is collected. They offer protection, compliance, and performance to maximize benefits to all parties involved: consumers, enterprises, cloud service providers, and nation states.
Sovereign clouds protect sensitive data, such as credit information, IP addresses, and geolocation data, according to the standards where that data is collected and stored. For example, Germany’s sovereign cloud created in collaboration with T-Systems and Google Cloud, protects data generated, collected, and stored by businesses who conduct business in Germany, whether those businesses are physically located there or not. The sovereign cloud protects data from bad actors/entities and from third-party data abuse.
However, Germany does share data with trusted nation states, companies, or clouds. For instance, because of the Cloud Act of 2018, US-based companies are allowed to access data that they manage in Germany.
Who is and isn’t authorized to access data in a sovereign cloud may change as a result of geopolitical conflict, such as the one currently unfolding in Ukraine. The removal of seven Russian banks from the SWIFT bank messaging system is an example of the volatility of the global data economy as a result of sanctions imposed on a country.
Sovereign clouds afford autonomy to both enterprises and countries. They counterbalance the dominance of US-based hyperscalers AWS, Azure, and Google by ensuring that enterprises are not forced to use those providers. Germany’s Open Telekom Cloud is an example of a German-built and operated contender in the public cloud market.
Since cloud data migration is often a cumbersome process, enterprises easily become dependent on one of the major providers. Sovereign clouds enable application portability and independence, so that enterprises may easily switch providers without sacrificing performance or security.
Sovereign clouds also give countries a say in how data is handled within their jurisdiction.
Sovereign clouds guard against changing regulations, such as the 2018 introduction of GDPR in the EU or security threats that arise as a result of geopolitical conflict.
Also, as previously noted, sovereign clouds give companies autonomy over which cloud service provider(s) they use. However, with autonomy comes great responsibility. Enterprises are ultimately on the hook for any violations of data protection laws, but sovereign cloud service providers have built-in controls to protect your enterprise against violations. For instance, a sovereign cloud provider conducts regular audits only according to current jurisdictional regulation of the location where your company’s data is collected and stored.
In spite of governmental regulation behind sovereign clouds, they allow companies to conduct their business in the cloud without sacrificing performance. Sovereign clouds are efficient and scalable solutions that enable companies to quickly and securely deploy data to the cloud while remaining compliant.
Who Are Sovereign Clouds For?
Sovereign clouds are for any enterprise that collects, stores, and handles data in multiple countries or regions. They are particularly pertinent to enterprises that operate within certain sectors, such as public utilities, health, insurance, and finance, as these are beholden to special rules, such as HIPAA for US healthcare companies or PCI and EBA for banking. Finally, governmental agencies have used sovereign clouds for several years now in order to keep confidential data secure out of national security interests.
Sovereign Clouds Are Here to Stay
In years to come, expect to see international law and the tech industry increasingly overlap. Cloud service providers will entertain more federal contracts to build sovereign clouds that conform to a country’s data protection laws. Also, on a supranational level, multiple countries who share data ethics will enter into agreements that give rise to regional and transcontinental sovereign clouds.
As international governing bodies continue to impose economic sanctions on Russia, we can expect to see data access restrictions meted out to Russia’s private and public entities.