We’re hearing more and more these days about sovereign cloud. While it is not a new concept it has risen to prominence recently due to a changing geopolitical landscape and new regulations that affect the degree of sovereignty organisations and individuals are able to exercise over their data.
This is because a sovereign cloud provides a smart solution for a growing appreciation of the benefits and risks of not having well-defined jurisdictional requirements at a territory level pertaining to data. The size of the global government cloud market is expected to reach $71.2 billion by 2027 from $27.6 billion in 2021, according to market research firm Imarc Group. Microsoft recently unveiled Cloud for Sovereignty – a new offering designed to help the public sector comply with regulators’ increasingly strict requirements to keep data within a certain geographical area, particularly in Europe.
European holiday season
With all the various perspectives on sovereign cloud and the sovereignty of data – and its relevance to cloud consumers – being aired publicly across the continent, it is becoming difficult to understand what it all means. This is especially true for those responsible for corporate or public data, when there would appear to be very little in common between the many competing definitions of sovereignty as it pertains to different forms of customer data and how best to address the concerns raised by the likes of GDPR, the US Cloud Act and Schrems II.
At the time of writing, we’re very much in the European holiday season so, to avoid this being a dull technical discourse, we’ll use the analogy of planning family holiday accommodation as a light relief similar to the situation. While seemingly leftfield, there are more similarities than you would think on the surface. Both involve multiple parties, with varying needs and a huge amount of influencing factors. Similarly, a well planned and executed family holiday can make amazing memories, whereas a badly planned holiday can leave permanent scars. In this respect it is not unlike the decision as to where to host one’s valuable corporate or public data.
Three main choices
It’s a situation akin to choosing from a variety of accommodation when going on holiday, notably; the international hotel, the smaller, localised one or a boutique offering. The former is big with lots of support services and comes with a well-known reputation. Its guests consume the basic package of the room, but all other facilities and activities are chargeable individually.
The second option is like the first but more localised. Many of the services, activities, and facilities of the international hotel brand are available at this franchise hotel, but where a local partner company owns the operation and does the overall management. This has some appeal as the services are more localised as are the staff who have received additional training that is more locally relevant in line with regulations and jurisdictions. However, as this is a smaller operation some of the services offered by the international hotel brand are not available, nor are the added advantages of accruing loyalty points or familiarity and greater certainty over service that a large international brand offers.
The final choice is a local boutique hotel that has been operational for many years in a local area, and which provides a very tailored experience. This varies from the first two options in that it works with the guests to create specific packages of activities and services and on balance is more expensive and labour intensive as the hotel makes a real effort to understand their guests and consequently tailor a very relevant package of activities and services. This entity understands all the requirements of operating locally and can offer benefits accordingly.
Five defining factors
There are clear pros and cons with each and, much like a cloud provider, the key question is which to choose? The answer is not simple and comes with several defining factors, particularly:
- People (staff and booking operators) – Data guardians should be aware that certain tiers of data should ideally only be managed by certain types of individuals. Part of the journey to assessing the type of sovereign cloud a business needs is understanding the type of individuals that should have access to the different classifications of data for which the data guardians are responsible.
- Access (support services) – This is critical in understanding the choice of sovereign cloud and how all associated account and service metadata relating to that customers data, are handled according to which regulatory frameworks, auditing standards and which jurisdictions the sovereign cloud provider are subject to from the perspective of governance, oversight and compliance.
- Process (ease of booking, autonomy in consuming services and providing feedback to the provider) – The systems used to aid the people in carrying out their duties. This is all about the accountability of the sovereign cloud when it comes to how the customer’s data as well as all the associated account and service metadata generated by the provider are managed and potentially leveraged, and by who and where.
- Activities (what you get) – Relates to what people, through access, and leveraging processes can conduct by way of activities against the data, both customer and account, and service metadata. It speaks to the level of expertise and accountability and training of the staff as well as what they are allowed to do. For example, with children you don’t have a generic support staff, you have one trained to work specifically with children. Understanding the data classification and how ideally those data types should be accessed and what levels of management are enabled by what types of personnel using which systems, is critical to selecting the right sovereign cloud.
- Technology (the accommodation structure and ergonomics) – The need to have a robust and resilient architecture, located locally within the Jurisdiction, and optimised to reflect the sensitivity and value of the data hosted on the platform whether that is at an individual customer level or more broadly at a data classification level. The facility should be secured and operated at the highest levels of resiliency, but with the data also needing to be always available this creates a need for backups and disaster recovery solutions that exist beyond a single site architecture while remaining wholly within the local jurisdiction.
The right choice, for you
So, if your sovereign cloud provider was holiday accommodation, which would you choose? Like all families, there’s no one size fits all solution and what will work for some, will not work for others. Classifying and understanding a business’s data types is the first step one should take as a data guardian when looking at selecting the right sovereign cloud for your business.
Alex Tanner is a Senior Staff Solutions Architect for the Cloud Provider Program at VMware in the UK. Alex’s current role includes a special focus on the VMware Sovereign Cloud initiative in EMEA. Alex has worked as an overlay specialist in many parts of the VMware business over the last 10 years including covering the Aria Suite, vCloud Air and NSX. Prior to VMware Alex spent seven years at EMC as a mid-tier storage specialist and senior VMware vSpecialist.