Deciphering the Sovereign Cloud
At a Glance
Cloud computing brings immense benefits but cybersecurity can sometimes be an afterthought. In this article, Wolfgang Baumgartner examines how organizations can implement cloud security, and where responsibility ultimately lies for securing the cloud.
6 Minute Read
We have defined digital sovereignty as the degree of control an organization has over its entire digital environment.
When applied to a cloud environment, sovereignty differs from security by considering the sovereign risks induced directly or indirectly by cloud providers. The primary indirect risk is foreign interference using an extra-territorial law or government pressure on the cloud provider. Hence, a sovereign cloud is a local concept with a different answer from one country to another
We could define sovereign cloud with a risk-based approach, saying it’s a cloud environment that covers at least part of the sovereign risks. However, in some countries (especially in Europe), it is mainly defined by a certification issued by a national agency such as SecNumCloud in France, C5 in Germany and ENS in Spain.
We would also like to emphasize that sovereign cloud is too often reduced to data confidentiality, but availability is just as important. What if your most business sensitive service goes down with no way for you to restart it or recover your data?
Now that we have defined the key features of a sovereign cloud, let’s take a look at what it requires for cloud providers and customers.
A cloud provider’s journey to sovereign cloud
Outside of the USA, there are two cloud service provider profiles that emerge from DC operators.
These providers host and operate their services in-house, using a mix of off-the-shelf products and their own technologies to build a solution that they host and operate by themselves.
With their local footprint and clear role, even when depending on foreign technologies, they are the first to achieve sovereign qualifications such as a certification by the French SecNumCloud, on a limited subset of services (mostly IaaS) covering a small to mid-size capacity.
While their current concern is to expand their services portfolio, this may create staffing challenges for building services and running activities. Should they create technologies from scratch or buy them from another tried and tested manufacturer?
Additionally, they want to be able to operate at scale, inducing more automation needs and triggering some local footprint questions when settling in new geographic areas.
Deutsche Telekom IT cloud transformation
Hyperscalers current situation
1 These providers have the largest portfolio of services to offer, armed with an understanding of customer requirements, faster innovation and time-to-market.
2 They ensure a very high level of confidentiality versus third party disclosure.
3 However, their global hosting and operations make them appear not to be sovereign — except from their home country.
Hyperscalers future path
1 With high levels of industrialization and a least privilege approach deployed across their systems, hyperscalers score high on customer data confidentiality. They will continuously release new services to give customers more control for critical security elements.
2 They invest a lot to demonstrate that confidentiality of customer data is preserved against the hyperscaler tools and personnel as well, and particularly on promising Privacy Enhancing Technologies”.
3 However, for availability governed by the strictest certification schemes, their main challenge is to guarantee the localization of the whole stack hosting and operations. Even for locally hosted data centers sold in the region, they must clarify boundaries and dependencies between services to co-locate them. Most hyperscalers either rely on creating local entities for operations, or partner with local players.
Moreover, service providers that do not operate data centers (like SaaS) face sovereign challenges as well. Consuming services from certified sovereign cloud providers is not enough for them, they must implement additional security controls for their SaaS operations, and may optionally apply for a sovereign qualification as well.
A customer’s journey to sovereign cloud
Even if sovereign cloud is a hot topic in Europe, not every customer may need it. Customers need to first assess their requirements with a formal risk analysis. This risk analysis must consider the different sensitivity levels existing in their information system, which may not require the same level of sovereignty. Once this assessment is complete, a sovereign cloud may be their answer to the sovereign needs identified.
These needs can be broadly categorized as follows:
Compliance with regulations and laws
Some standard public cloud offerings, especially from foreign cloud providers, may be incompatible with regional laws and regulations. In that case, the easiest way may be to use a certified sovereign cloud whose certification scheme ensures compliance with specific requirements. Alternatively, a risk-based approach must be taken.
In the future, especially in Europe, we foresee laws that will require certified sovereign cloud for some activities such as for Critical National Infrastructure.
Protection of business strategic data
Most customers have highly critical data like industrial secrets, innovations or even customer databases that need a high level of sovereignty. To maintain control over this data while leveraging cloud, they need to select a sovereign cloud with a risk-based approach.
Once the required level of sovereignty is established, an important criterion for choosing the target sovereign cloud solution is the customer’s expectations about the cloud features they need. As described above, cloud providers’ sovereign services catalogs are not equivalent, and won’t match the same functional needs, depending on the customer’s cloud maturity level.
There are at least two different types of customers here:
Cloud customers focused on IaaS
For these customers, the focus is to migrate to the cloud for the agility, capacity and/or cost reduction it brings, but without transforming their applications. For them, all sovereign cloud service providers will fit their functional needs if they offer IaaS services.
Cloud native users
These customers want to benefit from cloud SaaS and PaaS services even in their sovereign cloud, because they are already using them for less sensitive perimeters. For them, it is currently very difficult to find a good compromise. Most SaaS providers fall into this category.
Sovereign cloud: navigating the challenges ahead
In conclusion, the sovereign cloud market is still being shaped by three key dimensions that influence each other:
1 Emerging certification schemes and regulations
2 A constantly evolving landscape of sovereign services by cloud providers that lacks variety
3 Customers’ uncertainty about business and compliance requirements and timelines, and hesitation to zero in on the need for sovereign cloud
Finalizing a business strategy that incorporates a sovereign cloud demands time and an organization-wide commitment. While this article has outlined the different types of players in the sovereign cloud environment, both service providers and customers need to map their internal business goals and chart their own journey towards sovereign cloud.
Learn more about Atos’s cloud offerings
Digital Vision: Cybersecurity 3 – Further Insights
From across Atos and beyond, find out more about cybersecurity challenges and how organizations can respond to cyber threats