Data sovereignty: Is it time to rethink your cloud strategy? Part 1
Over the last few years, data sovereignty laws have been on the rise all over the world. By adopting these regulations, governments are trying to ensure that their citizens’ data remains on sovereign soil — not spread across different jurisdictions or regulatory environments — thus preventing foreign access.
While the drivers for the rise of data sovereignty laws are complex and numerous, some events have acted as accelerators. These include privacy scandals like Snowden’s revelations and Cambridge Analytica, increasing economic competition between the US and China, cyberwarfare in the context of the war in Ukraine, and the US CLOUD Act, which requires American cloud providers to provide data to US authorities if ordered by a judge — even if the data is stored abroad and concerns foreign individuals.
In this two-part blog series, we will examine the impacts of data sovereignty and how your organization can adapt its cloud strategy to address these concerns while delivering business value.
What is sovereign cloud and why is it important?
Against the backdrop outlined above, we are seeing a global reckoning about the strategic importance of data, and a will to protect them from foreign interference. In this context, the Internet is seen less as a borderless, globalized utopia, but more and more as a virtual battleground where sovereign states and big corporations compete fiercely. While the sovereign cloud market is in its infancy, concrete, comprehensive and sustainable implementations are expected to emerge in the next 18 to 24 months.
The drivers of data sovereignty are complex, as the Internet becomes a virtual battleground where sovereign states and big corporations compete fiercely.
Although it’s tempting to pull everything back to a private cloud, this isn’t the only viable solution.
The rise of data sovereignty laws
The European Union GDPR (General Data Protection Regulation) is the most famous example of data protection law. Enacted in 2016, it governs the data protection and privacy of EU citizens and regulates the transfer of data outside the borders of the EU and the European Economic Area. However, it is far from the only existing data privacy law.
Within the EU, some countries have their own data sovereignty laws and regulations. Germany, for example, has implemented the new German Privacy Act (BDSG-new) that restricts data transfers to third countries. Companies that process citizens’ personal information also must fulfill the German government’s data protection requirements, even if they are located outside the country’s borders.
In France, SecNumCloud is a certification scheme from ANSII (French National Agency for the Security of Information Systems), which grants cloud infrastructures a security certification aligned with GDPR and ISO 27001 standards. It also goes a step further, with protection against extraterritoriality rules. In the next two years, we expect more and more French laws to require adherence to this certification for sensitive use cases.
This trend isn’t confined to Europe either. In the US, states such as California have implemented their own GDPR-inspired regulations in the absence of any Federal sovereignty law. The country also has industry-specific federal protection laws, such as the HIPAA Privacy Rule, which gives Americans some specific rights over their health information and sets rules and limits on who can look at and receive it. Given the strong economic interdependencies between the US and Europe, we expect that both parties will continue to have access to each other’s cloud market (including sovereign cloud), provided that they adhere to applicable regulations.
This isn’t solely a Western trend, either. In China, for example, public sector institutions must use a Chinese cloud provider to store their data. Vietnam, Russia and Indonesia all require their citizen’s data to be stored on servers within the country. India is currently working on a privacy law that would impose data localization requirements, mandating that critical data be processed in India.
In 2017, 35 countries had implemented 67 laws, regulations and government policies requiring digital information to be stored in a specific country. By 2021, this figure had more than doubled, with 62 countries imposing 144 restrictions, according to the Information Technology and Innovation Foundation. By 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020, according to Gartner, Inc.
As a consequence, many companies are adapting to this increasing body of data regulations by pivoting to a sovereign cloud strategy.
What is a sovereign cloud?
Although it might seem that the best way to comply with increasingly strict data sovereignty regulations is to pull everything back to a private cloud, this isn’t the only viable solution. A sovereign cloud can still be made available to multiple clients on a single public cloud infrastructure — and provide the same set of services as public cloud.
The definition of sovereign cloud is more about guaranteeing where the data is stored, how it is secured, who can access it, and making sure whoever operates it is accredited to do so. A sovereign cloud provider should also protect its customers against potential violation of policy, providing them with sovereignty expertise to make sure that they don’t inadvertently break existing privacy laws. Furthermore, sovereign cloud adoption will largely depend on its ability to strike the right balance between compliance, security, costs, features and the degree of added complexity to optimally meet the needs of the sensitive workloads it is targeting.
Sovereign clouds are underpinned by four critical pillars:
Figure 1: Sovereign cloud pillars
There are, however, several trade-offs associated with sovereign clouds which should be assessed and accommodated:
• Security and compliance: Sovereign clouds must safeguard data and enable its management according to applicable laws and regulations, but this cannot be an obstacle to data sharing, which is critical for extracting value and insights.
• Features: The adoption of sovereign clouds cannot hamper innovation and digital transformation initiatives. It is therefore only viable if it delivers a rich portfolio of IaaS, PaaS and SaaS solutions — and preferably, fidelity to public cloud services.
• Cost: We can expect sovereign clouds to carry a small premium (15-20%), but the value of sovereign clouds goes hand-in-hand with affordability. Hence, provider scale will be critical.
• Complexity: The addition of sovereign cloud as another option significantly increases complexity, both in terms of workload placement and ongoing management.
When developing a cloud strategy, it’s critical to not only address the requirements of the four pillars of sovereign cloud, but also to carefully assess how the tradeoffs outlined above will impact your specific business priorities. In the second installment of this series, we will take a look at how your organization can adopt the right approach to implementing sovereign cloud.
By Nick Law, Head of Cloud Portfolio and Sustainability Portfolio, Tech Foundations
Posted on: November 16, 2022