Cloud

The Russian invasion underscores the significance of sovereign clouds

April 19, 2022

In years to come, expect to see cloud service providers entertain more federal contracts to build sovereign clouds that conform to a country’s data-protection laws. Also, on a supranational level, multiple countries, who share data ethics, will enter into agreements that give rise to regional and transcontinental sovereign clouds.

The Russian invasion of Ukraine has put significant pressure on cloud service providers. They are tightening cybersecurity measures to protect clients, who are located in or do business with Ukraine and other Eastern European countries – underscoring the significance of sovereign clouds to protect sensitive data managed within a country’s critical technology infrastructure.

The idea behind sovereign cloud is to ensure that the services provided are within the control of the jurisdiction where it is used. This can be achieved in several ways through legal and technical measures as well as physical location. Within Europe, there are already several cloud services that are locally owned and delivered. However, these services find it hard to compete against the level of functionality, provided by the global hyper-scale cloud services and the economies of scale that they enjoy. Therefore, using purely local providers often involves increased costs and or reduced functionality.

Another approach is for state-sponsored projects. However, these have a checkered history when it comes to innovation and, in any case, the richness of the existing hyper-scale cloud services leaves an enormous gap to close. Therefore, quite sensibly, the European GAIAX project does not seek to replace the existing cloud services but rather to increase local control.

Schrems II judgment has crystalized the risks around the privacy of personal data, highlighting the differences in the rules between jurisdictions. The consequences of this judgment are still being played out and can be very disruptive.

The use of cloud services that are owned and operated by providers that are outside the jurisdiction where they are used creates a risk. This is that a provider in another jurisdiction may be legally obliged to obey instructions from their government and that the foreign government is not bound by commercial contracts made by providers with organizations outside of that jurisdiction. This risk is highlighted by the Schrems II judgment.

The European Data Protection Board (EDPB) recommendations identify three points at which the privacy of data can be compromised – during transfer, at rest in storage, and while being processed. The recommendations cover contractual tools, such as including standard data protection clauses (SCCs), binding corporate rules (BCRs), codes of conduct, certification mechanisms, and ad hoc contractual clauses. The EDPB also provided an updated Joint Opinion 1/2021 on standard contractual clauses between controllers and processors.

In addition, the EDPB recommendations require supplementary technical measures and describe three approaches for which example use-cases are provided. These technical steps include encryption, pseudonymization and multi-party computing.

Making a cloud sovereign. The rise of public and multi-cloud and the popularity of the SaaS model make the cloud the focus of data-protection efforts and regulations. Public cloud services are forecast to grow 23.1 percent to USD 332.3 billion in 2021. At the same time, SaaS remains the largest market segment with a projected 2021 size of USD 122.6 billion.

Cloud service providers need to embed data sovereignty throughout their environments to meet customer expectations and regulatory requirements. Three areas of cloud come to mind:

Data sovereignty allows customers to prevent third parties, including the service provider, from accessing their data;
Operational sovereignty means that the cloud providers’ employees and operators cannot compromise your workloads; and
Workload sovereignty or no vendor lock-in. Customers gain assurance that they can run their software wherever they need without dependencies on the service provider’s cloud.

Today, sovereign cloud lacks a definition that is commonly accepted or used in the industry. But fundamentally, it is about data, its ownership, trust, control, national interests, and compliance with regulations. Why?

A sovereign cloud ensures all data including metadata stays on sovereign soil and prevents foreign access to data under all circumstances. It provides a trusted environment for storing and processing data that can never be transferred across borders and must remain under one jurisdiction. Sovereign cloud is really about protecting and unlocking the value of critical data. Sovereign clouds are mature and well-established solutions that are part of the emerging multi-cloud landscape. They also provide all the other core benefits of cloud, such as agility, security, and automation.

In the end, sovereign cloud should be a part of a multi-cloud strategy. It just demands understanding that not all data is the same and that there are differences between clouds. The clouds have a different value proposition, and organizations are poised to use each flavor side by side. Updating the cloud strategy to match the current regulatory maze, and taking sovereign cloud as part of the palette, is on the cards now.

Above all, digital sovereignty is the right of the nations, organizations, and citizens to have control over their digital autonomy and their data. The sovereign cloud infrastructure is the connected highways needed to unlock all the potential of the data-driven economies and promote the innovation of the society through digital technologies. Digital ecosystems need to flourish through collaboration and open access to commonly architected data hubs. The values of openness, trust, and transparency, as well as the inclusiveness deserve to be guaranteed through digital empowerment.

The sovereign cloud is becoming a success factor for digitization. The availability of sovereign clouds will accelerate the implementation of numerous digital initiatives significantly by removing existing compliance hurdles. It works as an all-inclusive solution, combining the technical expectations of the cloud with capacity for innovation and a clear conscience.

Various approaches are being taken on the way to digital sovereignty.

In Europe, alongside the classic approach of in-house operation or the private cloud, public clouds like Google Cloud, Azure, and AWS are currently being equipped with add-on services to ensure compliance. Among other aspects, contract design and the involvement of reliable and experienced managed service partners, who are aware of international legal principles like the European General Data Protection Regulation, as well as German and industry-specific compliance requirements, play an important role in such propositions.

GAIA-X, the European initiative for creating a sovereign data space, is working on a more basic solution for all European companies. The GAIA-X project is setting European standards for the realization of sovereignty by first providing a basic definition of what constitutes a sovereign cloud solution. One of the main requirements is that the cloud is controlled by Europe, for example, because it is built and operated there. An example of this is the Open Telekom Cloud.

The initiative, announced in 2019, is designed to help nurture the growth of homegrown cloud service providers. While it could be viewed as a riposte to the dominance of Chinese and US cloud companies, its backers claim it is not about direct competition, but rather establishing a level playing field. The established US and Chinese cloud players are free to join Gaia-X, if they abide by its rules that are designed to ensure cloud services meet the data protection, security, and other policies outlined by the EU. The EU appears to be taking the plans seriously, and has earmarked part of its USD 750-billion NextGenerationEU Covid-19 recovery fund to support Gaia-X.

While Gaia-X will mostly be built around the existing data center and telecoms infrastructure – already in place or planned – from its 300-plus supporters, there are some plans to establish additional physical sites to support future expansion.

The joint initiative of T-Systems and Google Cloud takes a different approach. With the T-Systems Sovereign Cloud powered by Google Cloud, the partners implement sovereignty as part of an existing hyper-scaler platform. German companies that want to use a sovereign cloud receive a comprehensive package that not only encompasses the digital ecosystem and complete range of Google Cloud services, but also a cloud that complies with European data protection standards. T-Systems ensures that the platform complies with the agreed sovereignty conditions. Companies from regulated industries can, therefore, benefit from the full potential of the public cloud – without exceptions. This is currently a unique approach in Germany.

Thales, the French aerospace and defense company, is joining forces with Google to offer state-approved cloud services to French enterprises and the country’s public sector. The sovereign cloud offering will be operated by a joint company that Thales will be the majority shareholder in. Despite this majority, the partnership between Thales and Google is a clear acknowledgement of US superiority in cloud technology.

The company, planning to be operational by 2023, will provide the entire range of Google Cloud’s offering, although its network and servers will be managed separately from regular Google clients.

Monaco’s government has launched Monaco Cloud, the first sovereign cloud operation in Europe. All of Monaco Cloud’s infrastructures are operated in the principality and are governed by Monegasque law, guaranteeing high availability of services even in the event of a disaster.

Austria and Switzerland were also being considered for similar upcoming projects.

Singapore’s Home Team Science and Technology Agency (HTX) has called on Microsoft to develop its sovereign cloud. The agency promotes technological adoption across Singapore’s Home Team departments, which are responsible for national security, policing, civil defense, and immigration.

HTX expects the project will accelerate digital transformation and allow domestic services, such as the police to deliver improved safety and security to all Singaporean citizens.

Using Microsoft Azure’s platform, the sovereign cloud will provide HTX with on-demand high-performance cloud and data storage resources. Coupled with high-speed connectivity and advanced analytics, the cloud’s capabilities will provide officers with real-time data to enable swifter incident response and decision-making.

Microsoft will also provide additional training and educational opportunities as part of the agreement, including 600 training places, along with exam certificates to be made annually to the organization.

In India, NxtGen Sovereign Cloud is purpose-built for government agencies that store their internal data and information on citizens used to deliver services. Completely isolated from other cloud platforms, it is designed to comply with the requirements mandated by India’s Ministry of Electronics and Information Technology and the Computer Emergency Response Team.

NxtGen Sovereign Cloud is purpose-built for government agencies that store their internal data and information on citizens used to deliver services. Completely isolated from other cloud platforms, it is designed to comply with the requirements mandated by India’s Ministry of Electronics and Information Technology and the Computer Emergency Response Team (or CERT, the agency within the ministry that oversees cyber security).

Network access is tightly restricted and regulated by many physical security controls, security clearances, firewalls, and other barriers. However, all are offered as a service that does not burden customers with the management tasks, associated with ownership and upkeep. Significantly, data is protected by military-grade encryption while at rest and in transit. Workloads are also isolated and hosted on dedicated clusters and segregated at the computing, network, and storage layer to ensure the sovereignty of customers’ data.

“NxtGen Sovereign Cloud keeps all customer data, metadata, and escalation data on India’s sovereign soil at all times in an ironclad environment,” says AS Rajgopal, CEO and MD, NxtGen Datacenter and Cloud Technologies. He also said, “That is in stark contrast to many providers, who even if they keep data in-country, cannot ensure that metadata is kept there or that service-related tasks do not occur across borders. That is one of the many reasons that it is crucially important for our government agencies in India to have a partner like NxtGen that offers a truly sovereign cloud.” Rajgopal notes, though, that it is about far more than protecting the data of agencies and citizens, although that, of course, is paramount.

“Our government customers want to know that our cloud will enable them to address growing and rapidly changing data privacy laws,” he says. “But they also want to innovate with their data. They want access to modern technologies, including microservices and distributed analytics capabilities, and they want to use the innovative and trusted technologies that VMware is known for. That is why the VMware Sovereign Cloud distinction is so valuable. It lets organizations know that they can comply with the most demanding sovereignty rules while simultaneously innovating.”

After years of globalization, supply-chain issues, disruption and the global health crisis, companies are moving away from global integration and becoming more insular. Countries have recognized the enormous value attached to digital data and are looking to establish sovereignty over their citizens’ data within their boundaries.

The sovereign cloud, like the cloud service providers, will have to balance the accelerated demand for digital services with the need to ensure that infrastructure is built and operated in a sustainable way that meets climate goals. Ultimately, as the emergence of sovereign clouds demonstrates, the relationship between the disruptor and the disrupted is not one-way, but bi-directional. Cloud services are reshaping the technology landscape, but in doing so are also being reshaped themselves. What shape that will ultimately take is hard to say!