In this episode we explore the critical concept of data sovereignty with guest Antoine Coetsier, Co-founder and COO of Exoscale. The conversation dives into the significance of data sovereignty, especially in an era where digital infrastructure is increasingly considered critical to society, democracy, and the economy. Antoine and Vinay discuss how regulations are evolving, prompting organizations to reconsider their data strategies.

Antoine highlights the need for enterprises to prioritize data control, ensuring they can maintain ownership and accessibility across diverse cloud platforms. As data sovereignty gains importance, businesses must navigate the complexities of data management, architecture, and compliance to ensure they are well-prepared for the evolving regulatory landscape.

In summary, this episode provides valuable insights into the evolving landscape of data sovereignty and the critical role it plays in ensuring data autonomy and security, while keeping in mind the importance of technology and contractual decisions to safeguard an organization’s valuable assets in an increasingly digital world.

Key Insights

⚡The Rising Importance of Data Sovereignty

Data sovereignty is a significant and evolving concept in the tech industry. As data becomes increasingly critical to society, democracy, and the economy, there is growing awareness and discussion surrounding the need for businesses to take control of their data. Regulatory frameworks, like the NIS2 directive and emerging legislation, are pushing organizations to reevaluate their data strategies. Ensuring data control and ownership has become a central focus, prompting companies to seek data portability and protection across various cloud platforms.

⚡Avoid Vendor Lock-In for Data Portability

To navigate the complexities of data sovereignty, businesses must make strategic choices that allow for data portability and protection. An essential piece of advice is to avoid vendor lock-in, meaning organizations should select technology and service providers offering the flexibility to run applications and store data on-premises or across diverse cloud platforms. This approach helps to mitigate risks associated with dependence on a single provider and provides greater control over the fate of an organization’s data.

⚡Contractual Rights and Data Reversibility

In an environment where data ownership and control are paramount, it’s essential for businesses to have contractual rights and data reversibility safeguards in place. These rights ensure that data remains accessible, regardless of changes in circumstances or contractual disputes with service providers. Having the legal means to retrieve data, even in adverse situations, provides a layer of protection for organizations.

Episode Highlights

💡The Ongoing Evolution of Data Sovereignty [00:25:09]

Data sovereignty is an ever-evolving concept in the tech industry, driven by regulatory changes and an increasing focus on data control. Businesses need to consider data portability and the ability to retain control across different cloud platforms.

“The regulatory frame is moving, and I think we’ll bring more and more discussion… we need to decide where we put ourselves on that line of sovereignty vis-a-vis our business.”

💡Avoid Vendor Lock-In for Data Autonomy [00:32:39]

To achieve data sovereignty, organizations should avoid vendor lock-in by selecting technology and service providers that offer data portability and flexibility. This strategy ensures that companies retain control over their data, regardless of where they deploy it.

“Make sure that you have some portability with that technology… so that people can compare offerings and have a default compatibility.”

💡The Quest for Data Reversibility [00:33:34]

Having contractual rights for data reversibility is crucial in the pursuit of data sovereignty. Organizations must secure their legal rights to retrieve data, ensuring access remains intact even under adverse circumstances or contractual disputes.

“This legal right, contractual right to get your data back as a data controller… it’s about control, it’s about autonomy.”

💡The Importance of Data Management Strategy [00:33:40]

The need for strategic data management and architecture choices is emphasized. Data sovereignty requires businesses to make informed decisions about contractual agreements to protect their valuable digital assets in the face of evolving regulations.

“In the end, it’s about control. It’s about autonomy. You can only achieve that if you enforce these not just technically but also in your contracts.”

Here’s the full transcript:

Vinay: Hello, and welcome to another episode of Sovereign DBaaS Decoded, brought to you by Severalnines. I’m Vinay Joosery, Co-founder and CEO of Severalnines. Our guest today is Antoine Coetsier, COO and Co-founder of Exoscale, a Swiss cloud provider. Thanks for joining us today.

Antoine: Yeah. Thank you, Vinay. Thank you for the invitation. It’s a topic that matters a lot to us, so happy to join. 

Vinay: So can you tell us a little bit about yourself and what you do? 

Antoine: So as you said, I’m the COO and Co-founder of Exoscale. But before that, I mean, I’m an IT engineer by training. I worked in the telco business, for a long time, and then created the first, public cloud, actually, which was dedicated to the press and media business before launching, Exoscale, the company we we launched here in Switzerland, in Lausanne, back in 2011, and took us 2 years to bring out to the market.

We celebrated earlier this year our 10 year anniversary of the Exoscale product out there on the market. So it’s going strong, and we believe in this journey that the cloud can be regional, can be closer and made in Europe, with 7 data centers that we are pushing closer to, to our users in Switzerland, in Germany, in Austria, and in Bulgaria for the moment. 

Vinay: If we zoom back a little bit, right, if we kind of like, you know, rewind, we are in 2010. The cloud is a new thing. You know, it’s IT on tap. You can just rent, you know, computing resources in the cloud. There’s no real legal or compliance concerns, you know, data privacy. It’s kind of a new thing.

So, people are not really asking those questions, right? It’s more about how do I take advantage of this new thing, which gives us elastic resources, and I pay for what I use.

But if you fast forward a decade, the world has changed. There’s new privacy laws. There’s a growing, you could say, counter-movement against globalization, and data sovereignty is becoming a hotter and hotter topic. So, before we dive into the details, let me ask you this: If there was one thing you had the power to change in the European data sovereignty space, what would it be?

Antoine: Tough question. I mean, one thing, and we can attribute a lot of success to our neighbors across the Atlantic, in the US, is that what they have the courage to do is they’re much more patriotic in the consumption and in the spending. 

So the Amazon and Google and Microsoft, they’ve achieved such fast growth because the products are generally good, but also because the government and the society as a whole has sent them millions in deals and in consumption so that they could rapidly scale and, become those de facto standards over there in the US. 

What we like here in Europe because of our difference of cultures and this willingness and maybe naivete, that I mean, everybody should be allowed to play, etc. So we, our leaders, are not enforcing to consume exclusively from US, EU vendors.

And we don’t have, we haven’t yet, benefited from, I mean, that, in house, by government, from, public institutions. That has upended a lot, across the Atlantic. So, yeah, a bit more courage, a bit more patriotism would be my ask, but it’s hard to do. 

Vinay: And I will agree. I mean, you know, I think, if we look a little bit at how the cloud providers have, the big ones, at least, Amazon, you know, AWS, they had a very strong internal customer, right? 

Obviously, Microsoft, I mean, a huge, massive company with lots of resources. Google is a very big company, but in terms of market share, they’re quite behind, you would say, you know, Amazon and Microsoft. But if you think about it, even a company like Google with those resources they have, right, even they are kind of struggling to, you know, sort of catch up with AWS and Microsoft.

And then in China, we have, you know, we have two hyperscalers there, right? So, heavily funded, you know, by the government in a way. So yeah, I mean, I would probably agree that we are more split in Europe, so to speak. 

And yeah, most of the market is taken by the hyperscalers. So let’s dive right in. Sovereignty. So what is it all about? What is data sovereignty, as commonly understood, and is it important, right? 

So the discussion, you know, revolves around privacy regulations, compliance. But is that it, right? Is it not about ownership or control, fundamentally?

Antoine: Exactly. I mean it’s a very trendy topic, and in ‘23 I’ve seen the debate. I mean, really catch up and elevate, to a point where I was at a conference earlier this year in Geneva. I mean, Geneva is super interesting because it has the United Nations. It has all those NGOs. So there’s a lot of international discussion.

There was this conference bringing all the, most of the Swiss contents together, the politics there, and, it was interesting because for the first time, there was a consortium of directors from the, of which you call this digital directors of each, each contents. 

They federated together and they’ve mandated the studies, and they came up with a definition of, what’s digital sovereignty. And I think it’s good because, I mean, it’s the first time that politicians grabbed the topic and tried to put words for it. And I’ll do a trial, and sorry. I need to look at my second screen for this because the actual text is in French.

But they’ve defined this as “The ability of authorities, of politicians, to maintain the strategic autonomy and to be able to use and control in an autonomous way the material means and immaterial aspects of digital services which impact the economy, society, and democracy.” 

And I think the last aspect is super interesting because we always associate it to the economy. Oh, it’s we we we we don’t have full control. We can be. But they also judge this as democracy.

I mean, the freedom of selecting our leaders, of the people being in control of their own will and destiny. So I think there’s a realization that the digital world has, I mean, so much impact now in our lives that it goes far beyond just market shares and valuation of this or that company or import or export, balances between continents and countries. 

So I’ve grown fond of this, of this definition, and, I abide to it, the autonomy and and control. If we take an analogy with whatever other, infrastructure business, I mean, we we give the management of our roads, of our water to, I mean, in to to full, different, country and have absolutely no say on, I mean, how much water, how clean the water, where the water comes from or goes to? I don’t think so.

So why do we do it with data? Why do we do it with computing power? And also with software because that’s also what this definition says. It’s not only just the material pieces. It’s what binds it, and what binds it is the software that our communities are building together.

Vinay: So we’ll save that discussion a bit for later, around, you know, critical infrastructure, right? The cloud has become critical infrastructure in a way. So let me come back to that. But, um, let me ask you this: Have you seen your customers’ thoughts evolve right around this sovereignty thing?

So what are the business risks they are highlighting for wanting to run on a national cloud instead of one of the big, you know, hyperscalers?

Antoine: Yes. What we’ve seen, most of the larger prospects that we’ve been engaged to recently, there’s the NIS2 directive has been, is now enforced, in Europe, and there’s, it made some of the most advanced and mature companies realize that yes, there’s a risk, and it would be might be a good thing, at least to adopt a dual stack strategy or have a way to be able to switch to, to another platform if need be. 

So we’re getting into much more engagements weekly based on that, on the fact that there’s a new regulatory frame of the NIS2 directive. It’s a bit too early to say, is it gonna be fully embraced? Yes or no?

And, the first, also just like GDPR, the first fines and the first sayings from the EU commissions have yet to be, to to be, to be executed. So, we’ll see what this leads to. But, it’s in the docs.

Vinay: So we have the, you know, hyperscaler versus national cloud aspect, right, which is important with respect to, you know, national privacy laws. But is a national cloud the final destination for your customers? Do you see a place for hybrid, right? Being cloud smart instead of a cloud first strategy?

Antoine: Of course. I think certain aspects of data applications are already public.

They’re already out there. They need to be pushed to users that sit all over the world. So it will also be a competitive disadvantage if you have forced all its companies to exclusively use only national clouds as, I mean, you would have constraints. 

How do you reach users that are across the globe if you’re constrained to go to just a few locations here in Europe? It doesn’t make sense.

But for certain aspects of data and applications, making sure that the road or the water pipe cannot go away like we were, doing this analogy before. I think it’s fundamental. 

So, yeah, hybrid in the sense of multi is here to stay. I think it’s the way hybrid has transformed from, on prem to, just 1 hyperscalers. We’re seeing 1, 2 hyperscalers and a third option.

And we like when this option is us, but it can be any of our European colleagues as well. 

Vinay: I mean, hybrid, there’s a lot of talk, right? If you look at most of the surveys, most companies are using, you know, a combination of some of their own data centers and, you know, different public clouds. But the question is, in practice, how feasible is it, right, to have a real multi-cloud or hybrid cloud strategy? 

I mean, if you think about it, the services offered by hyperscalers are usually not compatible with each other or with whatever services there are on the national cloud, right? You have egress fees, right? These are the charges that customers pay to transfer data, you know, their data out of the cloud. And, you know, hyperscalers, usually they set them significantly higher, right, than as compared to other cloud providers. 

I mean, you know, or we know that there are many data centers that you can just rent where they don’t even charge for egress, right? And then you have committed spend, right? 

Which, in a way, makes sense, right? You do a deal, you will consume, you know, quite some amount of, you know, infrastructure over two, three years. And then you get a discount, which is a very normal thing to do, right? But then you still have to pay that whether you, you know, whether you use it or not, that’s the thing. That’s the catch?

So, you know, you get a discount, whatever percentage. So hopefully you also use all the actual commit that you’ve, you know, that you’ve put down, right? So, in a way, you know, the customer is incentivized to use one single hyperscaler. 

So, it is kind of a vicious circle because, you know, the customer finds it harder to switch. All you use are the clouds, right? In a way, you know, the hyperscaler has you by the balls, as they say, right? So good luck in negotiating a better deal next time around, right? 

So hyperscaler dominance continues. It’s like this giant tree that kind of, you know, sucks all the water and the nutrients right from the earth. So, there’s little left for others. So, you know, my question is, how feasible is this current landscape? Because it’s not very helpful in, well, it’s not prone to let smaller players grow in a way and flourish.

Antoine: You’re right. And, I mean, this lock-in effect is, I mean, it’s their play, and it’s quite effective, I must say.

I would add a third dimension to the reasons that you listed. Egress, there’s the commits, etc. So both more, like, financial aspects. But what we see, is usually those customers, they’ve invested a lot of time configuring all the policies and, you know, the I’m of those, of those platforms. So it’s not just if you consider migrating or using multiple clouds.

It’s how do you replicate it’s not just about moving data or using a slightly different product, but that does the same thing with a different API code. No. It’s about how do I make sure that all the policies I’ve enforced for my cost control, for my access control, for all those compliance that now, I mean, enterprise have more and more. I wanna make sure it’s uniform across all those platforms. I mean, it’s a nightmare, it’s a nightmare to do.

And up to recently, very few, to be honest, providers, I mean, were on par in terms of features in that regard. So, if I take the example of Exoscale, of course, we don’t have all the features in terms of products, but we have, I mean, most of the base products or something that runs on hyperscale. 

You can make it run on, on Exoscale. But our previous version of the IEM was, I would say, simple in the sense that it was basic, and far from what the hyperscalers were able to offer. So we’ve just recently progressed on that in the hope, I mean, complexifying a bit of product, which we don’t like very much, but, also in the hope, okay, someone can at least define the policy, the same policy, at an hyperscaler, at Exoscale,, and then maybe make it easier to get that that that multi cloud aspect. 

And then what we, what we like, I mean, try to educate our customers to do is to try to use more standards, external control planes. So just like I mean, yours from I mean, the Clustercontrol is a good example. I mean, you don’t have to use the communities manager from, or the managed communities offerings from cloud providers. You can also go with your OpenShift or Venture or whatever distribution you like.

And so by standardizing on the, on the lower, common denominator, it makes it easier at least to to switch. But as soon as you get trapped into advanced and custom, custom products that only exist at one place, it’s very, very hard to get that hybrid or multi cloud equation running at least in a meaningful way. 

Of course, I mean, all companies, they will try to say yes and just have a tiny application and on a separate platform, but the balance is, would be off. I mean, is this something that you see as well? 

Vinay: So, yeah, I do you know, I do think so as well. I think everybody says that, you know, they, yeah, we use, you know, two to three, you know, I don’t know, at least two hyperscalers, maybe, you know, at least a couple of, let’s say, smaller cloud providers, more local, right? 

But then if 90 percent of your spend actually goes into, you know, one of the hyperscalers and then you just have some random small systems, yes, you can say on paper, “I’m using multiple clouds,” but, you know, most of it is actually just one cloud. That’s kind of the thing, right? 

How many applications actually are truly multi-cloud, right? With the setups, with the egress fees, with all these, you know, issues around IAM and, you know, having to configure two different platforms in a way to get it to work. I mean, it’s so much work that.

So, but if we switch a little bit, you know, Database-as-a-Service, right? It’s kind of a, you know, term du jour, right? And, but that’s really database automation, right? And database automation is not necessarily synonymous with, you know, with DBaaS, right? 

There’s arguably multiple ways of, you know, automating your databases. So looking at your, you know, your own customers or prospects, I mean, are you seeing any, you know, let’s say, any prospects, you know, asking about implementing alternative models on top of your infrastructure, right? For example, are they building their own automation on, you know, on top of IaaS? Uh, you know, what are, what are the kind of models that you’re seeing?

Antoine: Okay. So first, I mean, we are faster as a service provider. So, not our customers tell us what they do, and we don’t, we don’t eavesdrop on their workload to try to find out that that would be out of our terms and conditions. So the only insights I have is from the conversations in which we directly engage with.

There’s a variety of things. I’m not sure I can be, I can give you a very meaningful answer on this one. We are seeing quite some success with our own DBaaS, and database as a service product. That’s, that’s for sure. We also know there’s plenty of workloads that are still being run on either a traditional way or with an external orchestration layer or or control plane layer, that we don’t know we don’t know of.

But we can see and feel that there’s backups happening, etc. So, traffic between computers, between object storage. So for sure, this is happening. 

Vinay: I guess one such model could be something like Kubernetes, where, in a way, the customer might get a bit more control over all the things that help them run their infrastructure and their databases. That could be one level of automation slash encapsulation and isolation.

Antoine: I mean, this Kubernetes is doing wonders in that field. I mean, it’s standardizing, a bit the platform across, across vendors. So so we’re seeing great adoption, in all flavors, as I was mentioning before, whether it’s our own, SKS or scalable Kubernetes service, it’s it’s a full manager Kubernetes control plane on top of of Exoscale or people that deploy their own vanilla Kubernetes clusters or flavored clusters with the the the ventures and and OpenShift, of this world. 

This is draining more and more, more and more workloads. And we are also seeing people trying to use this orchestration layer to run databases, not to sometimes mix results, but it’s definitely a trend.

And what we can say I mean, I have a nice figure for you is that, I mean, all the Kubernetes related workload in in the space of 2 years, they’ve started they’ve gone from 0 almost to now I mean, they’re weight 20% of all the compute workloads that are running on on Exoscale. So it’s just to say that the adoption rate as fast as this is just unseen before. So it’s really a trend that we are seeing on our, in our data centers with Exoscale. 

Vinay: Yeah, yeah. So we’ve spoken about how companies are thinking about sovereignty and how they’re using different models to achieve that, right? So, do you think sovereignty will become more important to them in the future, or are we today at the peak?

Antoine: Yes. I think we’re not yet at the peak. As I was saying before, we had the NIS2 directive. Discussions are sparked in 2023, and more regulations are coming our way also from the European Commission. 

Unfortunately, some are a bit delayed because there’s a lot of lobbying, as we can imagine. But there’s a, there’s the promise from ENISA and UCS, so a framework for cloud services in Europe, and some digital acts that are, that are in the works.

So the regulatory frame is moving, and I think we’ll bring more and more discussion. So it’s definitely trendy. Not at the not at the peak, yet, because the awareness is not here everywhere. 

My sentiment is with more mature companies, the ones that really have a stronger security posture, not, not widely spread yet. So, thank you for doing the podcast because it helps propagate the message, and at least the awareness.

You need to think about it. You need to decide where you put yourself, on that line of sovereignty vis a vis of your business. 

Vinay: I do agree with you. I think it’s something that will become more important. We’re probably not at the peak, but we kind of touched upon it earlier in this conversation -cloud computing as critical infrastructure, right?

We talk about democracy, we talk about not just the economy… there was a third one – society? Yeah, society, economy, and democracy. Yes. So, just like water, energy, highways, bridges, railways, and so on, right? 

So, what are your thoughts there? I mean, is the cloud part of critical infrastructure today? And as such, if it is, should it be regulated?

Antoine: Regulated? Yes and no. Should it be standardized? I mean, if you just, I mean, you took the electricity example, just right before. Of course. I mean, we expect if you buy any appliance, in Europe, you expect this to be 220 volts. 

So that it’s just you plug it and the socket has a certain shape. At least in your country, you plug it, it works, and not different shapes and different voltages, etc. And then in the US, they have their own plug format and their own voltage, but at least it works everywhere. 

So, we need to at least get to that level where you can plug and play everywhere at least with a certain scale or certain geographical dimension. Then fully, fully regulated and just only one provider, maybe not.

Some competition is always good. Should it be in addition to withstanders, should have guidelines and and, guardrails, with more, like, certifications and and, and normative ways from, from the legislature legislators. This, I think, yes, we could have some more, so that it’s not the jingle or that everybody eyes behind. Oh, I’m eyes or this and that. But what does it really mean in the pack?

Because you could very well certify, I mean, just only part of your business and not the platform as a whole. So it’s only for specialists. So this transparency is, is not there yet and could be, there could be, at least a mandate to make it clearer so that people can compare offerings, much, straighter and have a default compatibility of, okay, they can expect Kubernetes to behave the same way at at all those locations or database to behave also the same way, across the across the locations. That would be my dream. I don’t know if we will succeed as an industry as a whole.

Vinay: Well, we should. I mean, you know, we have no choice, right? So, I think in a way, if we look at, um, you know, I guess, you know, data sovereignty in one expression or another, it will continue to increase in significance, right? 

From like 10 years ago, 10, 15 years ago when it started, people didn’t really think about, you know, the consequences of using the cloud and just like any other technology, right? It gets more and more regulated with time, right? So, you know, even AI, if we look at what’s happening today, you know, there’s, there’s the same discussions there.

So how can solution providers support organizations, you know, looking to get that more control over their data, you know, whether it be through their infrastructure or their database, etc? 

Antoine: Well, I think data means, I’m stateful. So I think for all the application part, it’s a trend that’s been running for many years. I mean, we’re running infrastructure as code and deploying more applications in an automated way. 

It’s something that’s now, I mean, all the DevOps also, culture has made its way and it’s now something that’s adopted quite a bit more. And I think with the data and more precisely with databases, we are still in that moment where databases used to be, I mean, very special beast that had a special name, so the pet versus cattle dilemma that was with virtual machines, 10 years ago, it’s still, uh, in some aspects, a bit true with databases. 

So helping customers, really separate protecting the state, protecting the data from the data operation. It’s still something that’s ongoing. Not everybody has, um, fully embraced it. And I think, I mean, both our companies with, uh, DBaaS offerings, they can really help our customers or our users achieve that, that additional bit of control in terms of, okay, my backups there. In check, I know how to upgrade. I know how to do blue green deployments, etc. Not only with just my app, but with my, uh, with my databases as well.

So, still need to finish that part of, uh, transition, on the market and educating the, all the, all the customers. So that by default, applications can be a design in that, uh, in that way. 

Vinay: So just to summarize, you know, what would be your, you know, since we’re a database company, you know, we do database ops, but, you know, giving it to you as a, as a, you know, cloud provider, what would be your recommendation to enterprises, right? When it comes to devising a new database strategy?

Antoine: I would say to recap on what we’ve said, uh, before, avoiding lock-ins. Okay. choose a database, a data platform that, you know, you’ll be able to run on prem. You’ll be able to run, on any cloud you choose, because that cloud infrastructure or your customers, that’s the end customer of a, of a company, can change, can move, and new markets can open. And you need to have this ability to deploy, redeploy, and get closer to your users. uh, so.

When you buy into a technology, make sure that you have some, some portability with that technology. So either use vanilla open source flavors or a control plane that will enable you to deploy it, to deploy it anywhere. I think that will be in the technical aspects, one of the, the critical ones. 

And then if you’re selecting to go,  out there and to get as a service, make sure that we have every provider that you select. I mean, you still retain the full data ownership and that you also have rights, whatever happens with your provider to, data reversibility so that you can retrieve your data if something bad happens contractually, I mean, you disagree, payment issues, whatever. 

The world would be made of in a few years to come, that you have this legal right, a contractual right to, to get your data back as a, as a data controller. Because in the end, it’s about control. It’s about autonomy. So you can only achieve that if you enforce these, not just technically, but also in your contracts with your solution providers.

Vinay: Imagine somebody holding you ransom, you know, on your data. That would be pretty, pretty, pretty crazy. Thank you, Antoine.