A regulatory tide
Today’s multinationals are coming under an onslaught of new rules on data sovereignty and security from almost every country.
These regulations are creating pressure on them to develop and adopt sovereign cloud strategies—information management structures to hold data originating from one geographical area within that same area, in compliance with local laws and preventing other nations to access it.
Geopolitical considerations are adding to the pressure and companies find themselves having to meet data protection standards for a given country or region even as they strive to make good use of public cloud capabilities across borders and regions.
However, the challenge in developing a sovereign cloud strategy lies in the fact that the volume of sensitive data is exponentially increasing and the solutions available to protect that data are relatively new. While rules around sovereign cloud platforms have been put in place over the past few years, many organizations are just beginning to experiment with specific strategies for the thicket of restrictions and requirements.
The end result is expected to look like a multi-cloud strategy, or a hybrid of platforms, some of which are restricted to specific regions or nations, which is why they are called ‘sovereign’ platforms.
To date, few organizations have come far on this journey toward a sound sovereign cloud strategy.
Why sovereign cloud
Global organizations will need to have a systematic approach to assess their use of cloud-based technologies today and define critical outcomes.
Regulators, for their part, will insist on a comprehensive approach to tagging and walling off data that originates in their markets, though their rules are sometimes competing and even in conflict.
In 2018, the US passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which gives the US government control over the legal jurisdiction of data, especially in matters of criminal prosecution and security, even when data resides on foreign soil. The same year, the EU passed its General Data Protection Regulation (GDPR), compelling most organizations to think about adopting a sovereign cloud policy.
Further, the EU and US have reportedly reached a deal to allow for data transfers between the two markets; the Trans-Atlantic Data Privacy Framework would try to address previous concerns within the EU over data privacy.
What differentiates sovereign cloud from a direct or commercial public cloud?
The key differentiator of a sovereign cloud is a layer of compliance that logically and physically separates the sovereign data.
At a technology level, sovereign cloud solutions combine out-of-the-box cloud capabilities with strong data security. Because requirements for sovereign cloud include controls over metadata, each organization will have to do a data classification and application assessment to determine whether they are following the law. This task of assessment and classification will require region-by-region and nation-by-nation understanding.
Each sovereign cloud environment is expected to enable all the features of public cloud platforms—agility, security, and automation—besides supporting new solutions such as Gaia-X in Europe, or artificial intelligence, edge computing, and blockchain ones.
But that raises important questions for the C-suite on cloud strategies in general. Even if regulations require firms to adopt sovereign cloud, their leadership must assess whether they have delivered on their cloud strategies as originally envisioned. Sovereign cloud platforms and solutions must align with an organization’s strategic goals and objectives, thereby driving high-level discussions on how to achieve them.
Sovereign cloud framework
How are cloud providers enabling sovereign clouds?
Leading cloud service providers are integrating sovereign clouds into their offerings based on the same technologies that underlie direct or commercial public clouds.
A secure sovereign cloud includes a virtual machine firewall, network security groups and access control lists, the isolation of virtual network, and protection of cloud infrastructure from distributed denial-of-service (DDoS) attacks.
This approach provides security, flexibility, and cost-effectiveness for digital transformation and regulatory compliance. It also provides secure and consistent access to edge locations, on-premises or private cloud, and securely hosted multi-tenant sovereign cloud.
TCS proposes a framework, comprising a set of guidelines and best practices to help organizations assess their readiness for sovereign cloud adoption, develop a sovereign cloud strategy, and implement the solution.
The framework provides a structured approach to sovereign cloud adoption, with four main phases:
Assess: At this stage, organizations need to see what combination of public and sovereign platforms will work for their business needs. CXOs should be looking at their use cases to determine the feasibility and fit of any IaaS. In addition, risk, privacy, and compliance requirements should be accounted for at this stage. Finally, it is useful to see who will be internal sponsors of specific solutions—do they understand the full implications of their choice and the requirements they will need to meet? Since operational and regulatory requirements are closely intertwined, the individuals charged with overseeing the transition will need to have a good grounding in both.
Plan: In this phase, organizations develop a sovereign cloud strategy that aligns with their business objectives, regulatory compliance requirements, and security standards. This is a critical stage where potential risks will be discovered and hopefully addressed. Organizations may also move forward here with a proof of concept, deploying their cloud solutions based on risk considerations – and then seeing how things perform. The goal should be to not only develop a strategy but assess whether the strategy can be implemented.
Migrate: In this phase, organizations move their workloads and data to the chosen sovereign cloud solution—but very few organizations have reached this stage. This is the stage where the controls, decision rights, and other guardrails are critical. This is where the most sensitive data of any organization shifts into environments where security is essential— payment information, client information, metadata, and so on. At this stage, sanitization of data is critical so that sovereign platforms are the only places where sovereign-specific data is kept.
Manage: By the time any organization reaches this phase, they will be operating the sovereign cloud solution, monitoring its performance, and working regularly with regulators to update them and produce compliance reports as required. Cloud geofencing, a location-based marketing technology service, will be deployed as an application at this point to protect and secure data.
Revisiting enterprise cloud strategies
Globally, regulators are on the verge of creating policies and legal frameworks to treat data as a national asset.
Multinational organizations can take this moment not only as a challenge but also as an opportunity to review their cloud adoption and cloud strategies, recalibrate them to meet regulatory realities, and adopt them to strategic questions and goals.
Thus, the adoption of sovereign cloud will start conversations at many organizations that—if constructed around a clear process—can unleash the full power of existing and future cloud investments.