Diligence becomes increasingly important as the battle for Cloud sovereignty intensifies

By Guy Bartram – Director Product Marketing at VMware

First, AWS has made a public pledge, namely the: ‘AWS Digital Sovereignty Pledge’. This involves a commitment to provide ‘the most advanced set of sovereignty controls and features available in the Cloud’. This follows Google 's partnership with T-Systems and the ‘Delos’-offering from Microsoft, SAP and Arvato, and now AWS joins in. These initiatives reinforce the growing potential of sovereign Cloud services in a world increasingly dominated by questions of Cloud choice and governance as well as complex compliance requirements.

So, what does a pledge mean? The dictionary defines a pledge as a ‘solemn commitment’ - which would reasonably beg the question: isn't this an admission that there is little sovereignty in supply these days? Why else would it be a promise? A promise is forward-looking, something that has not yet been implemented or delivered. Shouldn't such an announcement also ideally be backed by a roadmap? Where is the guarantee that matters in this pledge will be fulfilled? Instead, AWS mentions what the promise generally entails: control over the location of your data, verifiable control over data access, the ability to encrypt everything everywhere and the resilience of their Cloud. The promise sounds excellent, but does it meet the standards of most data sovereignty requirements worldwide? However, it seems that nothing addresses the critical concerns around large-scale use, jurisdictional control, legal rights to access the data and meeting sovereign data requirements that require protection from the US CLOUD act or section 702 of the U.S. Foreign Intelligence Surveillance Act.

Secondly, Microsoft is facing trouble in Germany because Office 365 allegedly does not comply with the GDPR. The GDPR is over four years old at this point and most companies have rushed to comply with it to avoid being penalised by the EU. Now that the German federal and state data protection authorities (DSK) have raised their concerns about Office 365‘s compatibility with data protection laws in Germany and the EU, one wonders how other companies may also be failing in their obligations to protect EU customers’ data. In addition, how many other legal requirements (such as data sovereignty requirements) that global public Cloud providers believe they meet could be investigated by regulators? This news is naturally thought-provoking. Microsoft has denied that this is accurate and has issued a statement asking for further clarification regarding the view held by DSK. IT managers should therefore consider this news as a noteworthy case study to guide decisions on their Cloud choice, as the legal requirements regarding data sovereignty are much more complex to comply with than GDPR.
‍

All these issues put US and global hyperscalers in a precarious position when operating a sovereign Cloud (or any other regulated Cloud solution) in jurisdictions such as the EU, where they must comply with the EU's GDPR and US law. It also additionally puts the EU in a precarious position, as 72% of European Cloud market spending Q2 2022 was aligned with AWS, Microsoft and Google. The EU wants a fair market and a protected European Cloud without compromising Cloud functionality. However, with continued investments of around $ 4 billion in US hyperscale organisations, no European Cloud company will ever be able to seriously challenge this market. So the EU certainly has a dilemma: on one side, enforcing sovereignty would mean not being able to use foreign Clouds, which would seriously damage the EU Cloud market. And on the other side, how to legislate sufficiently to maintain a level of sovereignty that does not exclude foreign providers with some degree of external jurisdiction control? It seems that there will be no answer to this dilemma in the near future. The most cautious approach to compliance seems to be a national purpose-built sovereign Cloud, using external Clouds when your data classification meets the needs of non-regulated or non-sovereign environments: Cloud Smart!

European Cloud providers are generally more specialised in their services and almost all offer managed services, something not readily found in the offerings of large US hyperscalers. I believe this is a good thing. VMware has consistently stated that the future of a well-executed Cloud Smart IT strategy is Multi Cloud and Hybrid Cloud and that being Cloud Smart means we cannot ignore hyperscale offerings. We need them, especially since there are significant innovations and market-leading scalability in these Clouds. This is why VMware's strategy is unique: VMware encourages Multi Cloud and helps organisations maintain a Cloud strategy that avoids lock-in and upholds quality and security while monitoring performance. The VMware Sovereign Cloud initiative enables national and local Cloud provider partners to construct purpose-built sovereign Clouds, including Clouds that meet local specific requirements in areas such as data sovereignty, encompassing data residency and jurisdiction control, data access and integrity, data security and compliance, data independence and mobility, and data innovation and analytics.
‍

‍

‍

The common misconception when considering the use of a global hyperscaler for workloads that require data sovereignty is that there is compliance because the portfolio, data and applications are limited to only what can be run in a region. This still does not make it sovereign - it is just a farce. To be clear, physical location (or data residency), while necessary for data sovereignty, does not constitute full data sovereignty for almost, if not all data sovereignty requirements around the world. Data sovereignty requirements are unique to each jurisdiction, but all have needs beyond data residency. For example, they all also require jurisdictional control, which cannot be assumed to be met with a data-resident Cloud, especially for US or global Cloud providers subject to the CLOUD Act and FISA ruling. It is therefore essential to recognise that VMware sovereign Cloud providers are independent third-party partners around the world that also manage extensive portfolios of Cloud capabilities. Based on VMware solutions and ecosystem providers, with tools and competitive advantage (under the current regulatory climate) to provide the highest level of compliance comfort to data sovereignty requirements and/or other regulations such as the GDPR.

‍

So, what is the answer here? VMware's position has not changed: the use of ‘trusted’ hyperscale Clouds indicates a level of trust where data placed in a hyperscale Cloud is not top secret, should be able to be protected (using encryption or bring your own key, for example) and should be public. In other words, only low-risk data should be placed in a hyperscale Cloud. Across the world, customers should no longer wait for a magical one-size-fits-all solution. Instead, consider a strategy that uses the best of all Multi Cloud solutions and makes Cloud choices based on data classification, data operations and risk.

As the diagram shows, there is an increased risk associated with non-sovereign Cloud solutions, as jurisdiction control is overridden in a trusted or hyperscale Public Cloud. The amount of data applicable to non-sovereign services to be considered may be lower if you have performed a thorough data classification. Remember, a sovereign Cloud provider will provide services that are suitable for your industry, be it government, public sector, finance or many other industries, and also provide managed services to help you with your Cloud adoption strategy. Some also develop secure data sharing solutions to make money from your data, a critical component in the growing data market. Furthermore, VMware Sovereign Cloud Providers may be best suited to support you in managing locally tailored privacy, classifications and risk analysis to meet the strictest standards. As data covers personal and non-personal data (think industrial and IoT), a classification exercise will help you understand your risks and how to protect them in line with regulatory requirements and future threats from new data classification standards coming up.

As data markets evolve and data exchange for supply chain and revenue generation becomes a critical part of how we do business, it is essential to determine the right strategy on day 0 and ensure that the limitations of a Cloud choice do not compromise the principles of sovereignty. In addition, ensure that the Cloud provider you select has the right technology capabilities, security infrastructure and data management processes to protect your data, meets compliance standards and provides a secure platform for your business.

‍