blog
The Sovereign Cloud brief
Cloud computing is a core part of today’s world with more and more organizations moving their critical applications to the cloud. This shift highlights the need to manage and protect data, especially with the growing focus on data privacy.
Take the EU-U.S. Data Privacy Framework, for example. It was created to restore data transfers between the EU and the U.S. after the EU’s top court struck down the Privacy Shield in 2020. It is likely that this framework will also be challenged in court and other countries will continue to adopt more stringent privacy legislation.
In this post, we’ll explore one concept to help organizations understand and determine whether a Sovereign Cloud solution is right for them. We’ll look at what it is, why they Sovereign Cloud’s are needed and their adoption is rising, the requirements to be considered one, their key operational characteristics and benefits, and even how you can extend the concept of sovereignty to your database layer by implementing a Sovereign DBaaS concept on top of your infrastructure.
What the Sovereign Cloud concept is
A Sovereign Cloud is a specialized cloud environment designed to comply with the data laws of specific countries and regions. It ensures that data remains where it is produced, minimizing risks associated with foreign jurisdiction overreach and enhancing trust by making sure sensitive data is under the purview of local law.
VMware popularized the concept in 2021, emphasizing its importance in addressing social and governance values, political challenges, cybersecurity threats, data protection, portability, and control. In short, the increasing complexity of global data privacy laws has shined a light on these solutions’ necessity — let’s explore deeper.
Why Sovereign Clouds are needed
As enterprises have increasingly migrated their applications to public clouds, the cloud itself is increasingly considered critical infrastructure, akin to roads, bridges, etc. Consequently, governments are thinking about what happens to the public and private data stored in the servers forming the “cloud”, and protecting the rights to it.
At the end of the day, sovereignty is a question of control; and in this case, it is a question of who has control over the data they generate. This question is evermore present in today’s increasingly competitive, fractured geopolitical landscape.
Sovereign Cloud solutions help enterprises build customer trust and mitigate these risks by ensuring there are no questions around compliance with the laws and regulations in their operating regions. These solutions protect consumer and organizational data, including personally identifiable information (PII), intellectual property (IP), including the likes of software, trade secrets, and financial information.
Why Sovereign Cloud solution adoption is rising
As regulations tighten, organizations are finding it essential to prioritize data sovereignty and compliance. In Europe, the General Data Protection Regulation (GDPR) has made it clear that firms with European customers using U.S.-based hyperscalers face significant risks due to the U.S. CLOUD Act, which allows U.S. federal law enforcement access to user data collected by U.S. domained cloud service providers, regardless of where their servers are physically located.
This issue, highlighted in multiple Schrems judgements, has pushed many companies to seek alternatives that ensure compliance. But, this is not just an EU block movement — its adoption is further fueled by major technology companies recognizing its strategic importance to national governments and the opportunities that come with. Oracle’s emphasis on national and state government applications underscores the growing demand for sovereign regions. Oracle founder Larry Ellison has pointed out that “pretty much every government” is seeking Sovereign Cloud solutions that will allow them to secure their data within national borders.
At the time of this post, there are 162 national data privacy laws already in place. Even in the U.S., there are quasi-GDPR regulations on the books, starting with the California Consumer Privacy Act (CCPA) in 2018, continuing with 19 additional states enacting similar laws by mid-2024, and likely ending with every state enacting its own; but, it’s not inconceivable the Federal government will enact one.
Then there are national and sector-specific regulations prompting shifts to these providers. For example, Prorenata, a Swedish Healthcare SaaS firm, moved from AWS to a local provider to ensure compliance with national and EU regulations. Jens Alm, founder of Prorenata, emphasized that hosting healthcare data on a U.S. hyperscaler could compromise compliance, a sentiment shared by many of his customers. This trend extends beyond healthcare to sectors like banking, education, and research, where data sovereignty is increasingly seen as non-negotiable.
Sovereign Cloud’s fundamental requirements
To be considered a Sovereign Cloud solution, it must deliver three results:
Data Sovereignty
Data sovereignty ensures that data remains under the jurisdiction of the country or region where it’s created, complying with local laws and providing enhanced protection against cyberattacks and unauthorized access, e.g. even when the infrastructure is managed by a third party, they don’t have access to the data itself.
Operational Sovereignty
Operational sovereignty keeps critical infrastructure for critical applications available, accessible, and migratable, helping enterprises achieve control.
Digital Sovereignty
Digital sovereignty gives organizations control over their digital assets, including data, software, content, and digital infrastructure. It involves governance and transparency, allowing enterprises to manage access and audit their processes. This way, the assets are managed according to enforceable policies, like policy-as-code.
Sovereign Cloud’s key operational characteristics
Sovereign Cloud solutions offer a reliable way for organizations to ensure data sovereignty and compliance through a number of related feature themes, such as:
- Access restrictions: These restrictions limit usage to specific users, software, systems, and services belonging to a particular organization, geographic region, or individuals with specific citizenship or security clearances.
- Organizational control: Defines where the Sovereign Cloud is located – whether in a service provider’s data center or within the customer’s premises.
- Compliance: Ensures adherence to governmental, regulatory, or industry requirements through specific legal, contractual, and business practices.
- Operational support: Cloud service providers must meet high standards for their employees’ security clearances, citizenship, and residency.
- Dedicated network capacity: Ranges from secure VPNs to air-gapped implementations completely isolated from the internet.
- Sophisticated encryption: Employs customer-maintained encryption keys or provider-managed keys that comply with stringent security protocols.
Benefits of Sovereign Cloud
According to Accenture, Sovereign Cloud solutions offer numerous advantages for organizations of all sizes:
- Firstly, control. Companies perceive Sovereign Cloud as a way to maintain tight control over their data, not just within their own ops, but also across their broader network of partners, employees, governments, and other stakeholders.
- Then there’s regulatory compliance. Sovereign Cloud can help organizations navigate and stay on the right side of increasingly tough data protection and privacy regulations, keep their data safe and protect their intellectual property.
- Reputation is another big one. With its strict security requirements, Sovereign Cloud can help companies build customer trust, improve their retention, and serve as a unique value proposition for prospective ones.
- Business leaders are also turning to Sovereign Cloud for the flexibility it offers in combining different cloud providers. This approach allows them to customize solutions that precisely align with their compliance requirements and business objectives for different workloads.
Sovereign Clouds offer significant benefits, but meaningful challenges:
- Control paradox: Cloud service providers still retain some control over the infrastructure. For example, your data stays within national borders but your data management practices and policies could clash with your provider’s.
- Integrability and portability: The lack of standardized protocols can staunch integration with your existing and multi-vendor architectures and migration.
- Increased costs: The specialized infrastructure and strict operational requirements the concept poses are cost drivers.
- Upstack service paucity: The concept’s ecosystem is small and upstack services like DBaaS aren’t guaranteed.
“Sovereign Cloud” solutions from U.S. hyperscalers
While each U.S. cloud provider – AWS, Microsoft Azure, and Google Cloud – now claim to offer solutions tailored for cloud sovereignty, it’s important to note that they are still subject to the US CLOUD Act, the core incongruence with GDPR.
For example, AWS’s investment in a European Sovereign Cloud and Azure’s “Cloud for Sovereignty” solutions are designed to reassure customers about data control and compliance. However, the reality is that these measures still leave data subject to U.S. jurisdictional overreach, undermining the very sovereignty they promise, despite their advanced security features and regional customization options.
At the end of the day, while these initiatives are steps in the right direction, and also demonstrate the market’s demand for sovereign solutions, they do not solve the core issue that underlie the legal challenges like those of the Schrem’s series.
So long as the US CLOUD Act remains unchanged, these efforts do and will not satisfy the strict data sovereignty requirements mandated by regulations like GDPR.
Extending sovereignty across the stack with Sovereign DBaaS
Our Sovereign DBaaS implementation concept builds on the idea of Sovereign Cloud by extending control and compliance to every aspect of the data stack. So now you have enhanced control and security over your infrastructure, but what about the actual databases working with and storing the data? Should you have to sacrifice database orchestration solutions that ensure operational continuity? No.
With such an implementation, you can choose solutions that decouple the orchestration layer from the database, enabling you to assert control over how and where your databases operate through greater access and portability. This ensures that you can satisfy regulations while enjoying the benefits of core services.
One of our solutions, ClusterControl, provides the efficiency, reliability and scale benefits associated with traditional DBaaS for your database operations without sacrificing workload access or locking you into a particular environment. The end result is that you have sovereignty over your infrastructure and database layers.
Wrapping up
Sovereign Cloud solutions offer a strong option for organizations focused on data sovereignty and regulatory compliance. However, it’s important to recognize its limitations. Organizations need to conduct thorough due diligence and strategic planning to ensure that Sovereign Cloud solutions fit their business posture.
By understanding these challenges and finding ways to address them, organizations can make informed decisions while the ecosystem evolves to mitigate them; for instance, Sovereign DBaaS implementation concept and solutions.
The important point to remember is that whatever the categorical label sovereignty is about control, which is a spectrum; and, you will fall on it depending on what your current and future business requirements demand. For instance, you don’t have to choose a certified “this or that” tool or service. There are many tools, services and concepts that you can implement to increase your sovereignty.
Nonetheless, a well-planned data stack strategy that leans more toward operational sovereignty / control is a non-negotiable for your organization to ensure agility, stay compliant and retain customer trust and loyalty in today’s world.
Follow us on LinkedIn and Twitter for more great content in the coming weeks. Stay tuned!
