Three imperatives of cloud sovereignty
Setting public institutions on the path to cloud sovereignty by understanding how it can impact cloud adoption
To address geopolitical and regulatory constraints and keep their European market share, US hyperscalers have announced sovereign cloud offerings that ensure compliance with European laws and regulations. Microsoft Cloud is set to announce their ‘boundaries’ for sovereignty “providing an additional layer of policy and auditing capabilities that will address individual public sector and government customer needs.”19
AWS is committed to offering its customers the most advanced set of sovereignty controls and features available in the cloud having made the AWS Digital Sovereignty Pledge. Google “unveiled Cloud on Europe’s Terms, an ambitious commitment to delivering a cloud stack that provides the highest levels of digital sovereignty while enabling the next wave of growth and transformation for European organisations.”20 Oracle is also working on a ‘Sovereign Region’ and ‘Gov Region’ concept to comply with EU regulations and domestic government requirements fully.
Organisations’ growing interest in ensuring sovereignty and adopting successful cloud strategies to face the changing needs and expectations of the cloud environment has led us to define three imperatives as critical factors. These factors set public sector institutions on the path to cloud sovereignty by understanding how it can impact cloud adoption.
Imperative 1 – Embrace the cloud sovereignty journey
Cloud sovereignty is a journey rather than a destination and is embraced differently by each organisation to address unique constraints, priorities and requirements. All of these shape the approach to cloud sovereignty. It is essential to recognise that cloud sovereignty is not a one-size-fits-all concept, and different organisations require different levels of control and reliance on cloud services.
While achieving complete sovereignty from external cloud providers may seem desirable, it is often not practical or cost-effective for organisations. Being 100% independent would require significant investments in building and maintaining an extensive on-premises infrastructure and communications, which can be prohibitively expensive. Therefore, balancing control with leveraging the benefits of cloud services provided by trusted partners is fundamental. This is crucial since building these relationships enables public sector organisations to maintain control over their cloud assets and data while leveraging innovation and the specialised expertise and resources these providers offer.
Another factor to consider is operational autonomy. While public institutions may rely on external providers for certain cloud services, maintaining operational autonomy ensures that critical decision-making and control remain in the hands of the organisation itself. This autonomy allows them to shape their cloud strategy, choose appropriate service models, determine data storage locations, and set access controls according to their needs and compliance obligations. By retaining operational autonomy, organisations maintain more control over their digital infrastructure, mitigate vendor lock-in risks and can adapt their cloud strategy as their needs evolve.
Finally, cloud sovereignty alone does not guarantee increased resilience and is not solely about its technical aspects. Still, it is deeply connected to the concept of digital trust – it encompasses the ability to ensure that data and applications are handled and protected in a manner that aligns with the organisation’s requirements. Organisations can establish a robust cloud sovereignty ecosystem that fosters data security, regulatory compliance, and long-term resilience by prioritising digital trust, working with trusted partners, and maintaining operational autonomy.
Imperative 2 – Address the regulation gaps and uncertainty
It is crucial to note that compliance with regulations doesn’t automatically equate to achieving “optimal sovereignty.” While adhering to regulatory requirements is crucial for organisations, it is important to recognise that compliance alone does not guarantee full cloud sovereignty. Regulators often lag the dynamic cloud market, and their regulations may not encompass all the intricacies and nuances of cloud services. Compliance should be seen as a baseline, while sovereignty requires exceeding minimum requirements to address and manage additional factors during the journey.
Sovereignty extends beyond compliance, particularly in the public sector, where multiple factors apart from regulations come into play. Geopolitical considerations, such as data residency and sovereignty requirements and national security concerns, influence decisions regarding where and how data is stored and processed. Achieving cloud sovereignty in the public sector involves balancing compliance obligations with these broader factors and making strategic choices that align with national interests.
The evolution of cloud computing poses new challenges to regulators. As the cloud landscape expands, with the emergence of artificial intelligence, distributed architectures and edge computing, traditional regulations may struggle to keep pace. Although the EU is leading regulations globally, European regulators must adapt and manage the multi-cloud and hybrid edge-continuum, ensuring that compliance frameworks can effectively cover the spectrum of cloud services and deployment models alongside their evolution.
The goal is to establish a seamless and single control plane that streamlines technical compliance across various environments, transcending environment-driven or ad-hoc regulations. Regulators must work collaboratively with industry stakeholders to understand the evolving technological landscape and develop regulatory frameworks that foster innovation while safeguarding data protection, privacy and security.
Summing up, compliance with regulations is a foundational aspect and the starting point of the cloud sovereignty journey, but it does not encompass its fulfilment. Organisations, particularly in the public sector, must consider additional factors such as geopolitics, interoperability and resilience. Regulators face the challenge of adapting regulations to the evolving cloud landscape and managing compliance across diverse environments. By embracing a broader perspective and collaborating to develop actionable regulatory and legal frameworks, stakeholders can navigate the complexities of cloud sovereignty and foster a compliant, resilient and secure cloud ecosystem compatible with digital innovation.
Imperative 3 – Invest strategically to foster control and ownership
This imperative concerns the organisations’ ability to ensure control and ownership over their data and applications hosted in the cloud. Both profoundly connect and reinforce each other, encompassing key aspects like control over critical management systems, devices, intellectual property licensing, protocols, etc.
Control of devices, particularly concerning the semiconductor industry, is one of the critical aspects. This industry is vital in providing the underlying hardware components for devices used in cloud computing environments. Organisations need control over the devices they use to ensure the performance, reliability and security of their operations.
Having control over devices is crucial, but having control over the data itself is equally essential. Public institutions must ensure that they have ownership and control over their data stored in the cloud. This includes accessing, deleting, modifying or transferring the data as required. Data sovereignty is of paramount importance as organisations must control where their data is processed, stored and transmitted to ensure jurisdictional control.
Intellectual property (IP) is another crucial consideration. As organisations embrace new advanced telecommunications technologies (such as, for instance, 5G or 6G), IP licensing agreements play a significant role in determining control and ownership over proprietary technologies. It is essential to carefully address IP licensing terms to protect an organisation’s intellectual property, maintain control over critical innovations and ensure the sustainability and development of their products or applications for the future.
Public sector organisations can retain control over their technological advancements by securing favourable licensing agreements to establish a competitive advantage and drive further development and innovation in the cloud ecosystem.
The specific measures and best practices in data security should protect the data processed, stored and transmitted to the cloud environments, including proper encryption standards and Key Management Systems (KMS) acting as key drivers for gaining data control up to stringent standards. With the increasing importance of data security and privacy, KMS enables organisations to control and manage the encryption keys used to protect their sensitive data stored in the cloud.
By maintaining control over encryption keys, organisations can enforce strong encryption practices, ensure the confidentiality and integrity of their data and manage key distributions. Additionally, external KMS are also a stringent mechanism to manage keys out of the hyperscalers’ environment and to offload the complexity and responsibility of key management to trusted third-party providers.