Sovereign clouds are cloud architectures that operate in a particular country or region and meet a governing body’s legal and ethical data privacy standards. A sovereign cloud ensures that all data, including metadata, stays on sovereign soil, preventing other nations from accessing regulated entities.
With most cloud platforms operated by U.S. hyperscalers, companies are concerned about their data being in the hands of these cloud service providers (CSPs). And laws like the Cloud Act (Clarifying Lawful Overseas Use of Data Act), which compels organizations to share their data with U.S. authorities whenever called upon to do so—even if it’s stored in other countries—further exacerbates the situation.
Seeking digital sovereignty, governmental bodies and organizations with mission-critical workloads are adopting sovereign clouds that guarantee data is in compliance with local and privacy laws.
Table of Contents
What is the purpose of a sovereign cloud?
Sovereign clouds were designed to protect official government, public sector, or other regulated data behind a veil of data privacy, blocking its access by other nations or corporations.
Countries impose data regulations for a variety of reasons, out of national security interests or to protect citizens’ personal data. But increasing fragmentation of data regulation along nation-state boundaries has a side effect of severely hampering enterprises’ international competitiveness.
The growing network of red tape in the international digital economy also poses formidable financial hurdles and a legal landmine, especially for multinational enterprises in the banking, healthcare, and insurance industries.
To meet these challenges, sovereign clouds are created to bridge the competing needs of governments and enterprises. They allow countries to maintain data sovereignty and enterprises to stay competitive in an interconnected global digital economy.
Sovereign clouds are built on the three abiding principles:
Under data sovereignty, no unauthorized parties can access customers’ data, including even the employees of the particular cloud where data is stored. Also, users can encrypt their information with local encryption key management.
Operational sovereignty gives complete visibility into cloud operations and provides users with a comprehensive end-to-end view of how their data is being stored and accessed.
Software sovereignty provides assurance to customers that they can run their workloads wherever and whenever they want without being tied to a single CSP. By avoiding dependency, it becomes easier to migrate applications and services onto a different IT infrastructure at any time (including, for example, in-house infrastructure).
Who are sovereign clouds for?
Sovereign clouds are for any enterprise that collects, stores, and handles data in multiple countries or regions. They are particularly pertinent to enterprises that operate within highly regulated sectors, such as public utilities, health, insurance, and finance, which are beholden to special rules, such as HIPAA for U.S. healthcare companies or PCI and EBA for banking.
Finally, governmental agencies have used sovereign clouds for several years now to keep confidential data secure out of national security interests.
According to IDC FutureScape: Worldwide Cloud 2023, by 2024, 40% of G2000 will move 10% of their data to a sovereign cloud to meet data compliance and technical requirements. And by 2025, 55% of them will adopt multicloud data logistics platforms.
What do sovereign clouds do?
Sovereign clouds protect sensitive data and maintain accessibility controls according to relevant data privacy laws of the jurisdiction (i.e., the country or region) where the data resides and is collected.
They offer protection, autonomy, compliance, and performance to maximize benefits to all parties involved: consumers, enterprises, cloud service providers, and nation-states.
Sovereign clouds protect sensitive data, like credit information, IP addresses, and geolocation data, according to the standards where that data is collected and stored.
For example, Germany’s sovereign cloud, created in collaboration with T-Systems and Google Cloud, protects data generated, collected, and stored by organizations conducting business in Germany, whether they are physically located there or not.
However, Germany does share data with trusted nation-states, companies, and clouds. For instance, because of the Cloud Act of 2018, U.S.-based companies are allowed to access data that they manage in Germany.
Who is and isn’t authorized to access data in a sovereign cloud may change as a result of geopolitical conflict, such as the one currently unfolding in Ukraine. The removal of seven Russian banks from the SWIFT bank messaging system is an example of the volatility of the global data economy as a result of sanctions imposed on a country.
Sovereign clouds provide autonomy to both enterprises and countries and give countries a say in how data is handled within their jurisdiction. They counterbalance the dominance of U.S.-based CSPs like AWS, Azure, and Google in the market by ensuring that enterprises are not forced to use those providers.
Since cloud data migration is often cumbersome, enterprises quickly become dependent on one of the major providers. Sovereign clouds enable application portability and independence so enterprises can easily switch providers without sacrificing performance or security.
Germany’s Open Telekom Cloud is an example of a German-built and operated contender in the public cloud market.
Sovereign clouds guard against changing regulations, such as the 2018 introduction of GDPR in the EU or security threats arising from geopolitical conflict.
Also, as previously noted, sovereign clouds give companies autonomy over which CSP(s) they use. Sovereign cloud service providers have built-in controls to protect your enterprise against violations. For instance, a sovereign cloud provider conducts regular audits only according to the current jurisdictional regulations of the location where your company’s data is collected and stored.
In spite of governmental regulation behind sovereign clouds, they allow companies to conduct their business in the cloud without sacrificing performance. Sovereign clouds are efficient and scalable solutions that enable companies to quickly and securely deploy data to the cloud while remaining compliant.
How are sovereign clouds created?
There are a few simple, specific steps your organization can take to implement a sovereign cloud solution. It starts with planning and setting your objectives, then classifying your data, and finally selecting a qualified service provider.
1. Plan a sovereign cloud
Before you choose a sovereign cloud, decide on your sovereignty objectives based on the three pillars of data sovereignty, software sovereignty, and operational sovereignty (see above). Once you do that, you can then start classifying your data.
2. Data classification
Categorize your workloads and data based on their sensitivity level. Then, depending on that, you can apply the necessary security measures to put in place. Also, ensure that the CSP provides end-to-end encryption for your data.
3. Service provider selection
Choose a qualified cloud vendor that adheres to sovereignty requirements, especially data residency, jurisdictional control, data sovereignty, and cross-border movement.
Sovereign cloud providers
In order to meet the data privacy and compliance requirements of their customers, cloud vendors are providing sovereign cloud services that comply with the data privacy laws of different countries and industries. Here are some of the most dependable.
Google Sovereign Cloud
The Google platform provides tools to meet the sovereignty requirements of its customers. For example, for European customers, GCP has developed Assured Workloads that provide a set of stringent security controls and allow governments and highly regulated organizations to achieve compliance.
With Assured Workloads, customers can easily get data residency controls, personnel access controls, real-time monitoring for compliance violations, and automatic enforcement of product deployment locations.
VMware Sovereign Cloud
VMware’s Sovereign Cloud is based on the principles of:
- data sovereignty and jurisdictional control
- data access and integrity
- data security and compliance
- data independence and mobility
VMWare cloud providers that are part of the VMWare Sovereign Cloud initiative are Cloud verified and have the capabilities to deliver multi-tenant hybrid clouds while still adhering to jurisdictional sovereignty and data privacy.
Oracle Sovereign Cloud
To address sovereignty requirements, Oracle Cloud Infrastructure (OCI) offers several deployment models that meet the privacy, data residency, security, and compliance requirements of its customers.
Oracle Sovereign Cloud Regions enable customers to customize their options, including how their data is accessed and stored, as well as how government requests for data are handled.
OCI is also planning to launch Oracle EU Sovereign Cloud later in 2023, with data centers located in Germany and Spain, to help organizations place sensitive data in the cloud that aligns with EU sovereignty requirements.
Sovereign cloud tips for users
Here are some tips for a smooth user experience if your organization is using or considering a sovereign cloud.
- First, you need to decide what you want to achieve with a sovereign cloud. Based on that, you can identify the workloads you want to move to a sovereign cloud.
- Get familiar with the jurisdiction laws under which your sovereign cloud service provider will operate.
- Select a provider based on customer feedback, their track record, data residency guarantees, and compliance with privacy laws in your jurisdiction.
- Do a data protection assessment before moving to the cloud.
- Develop the right migration strategy that deploys your mission-critical and sensitive workloads to the right clouds.
- Work together with your sovereign cloud provider to maximize the sovereignty and security aspect of your data.
Bottom line: Protecting
In years to come, expect to see international law and the tech industry increasingly overlap. Cloud service providers will entertain more federal contracts to build sovereign clouds that conform to a country’s data protection laws. Also, on a supranational level, multiple countries who share data ethics will enter into agreements that give rise to regional and transcontinental sovereign clouds. Working with strong, established sovereign cloud providers will help both enterprises and agencies navigate these increasingly crowded waters.