Data sovereignty: Is it time to rethink your cloud strategy? Part 2
In the first installment of this series, we looked at the drivers and fundamentals of sovereign cloud, plus a few of the key requirements and tradeoffs that must be considered when developing a cloud strategy.
There’s no “one size fits all” solution when it comes to sovereign cloud, so this blog post will examine a few of the options available — with the goal of helping you choose the one best suited to your organization.
What’s the right approach to adopting sovereign cloud?
For European companies, one clear challenge is that the largest cloud players are either American or Chinese. Although a company’s data must be secure, it must also be able to leverage the most efficient and innovative technology portfolio to meet its business requirements and compete in the international market.
There’s no “one size fits all” solution for sovereign cloud.
There are many factors that determine what an ideal cloud environment looks like, but making the right choices now brings us one step closer.
Working with a Chinese cloud provider to handle their sensitive data is, of course, risky for European organizations. Because of the US CLOUD Act, creating a sovereign cloud on one of the three big American hyperscalers is currently also challenging, since the American government can legally access data hosted by a US cloud company.
One way to overcome this is to create a dedicated sovereign region operated by a joint venture which is majority-owned by the domestic European partner. Some examples of this approach are S3NS, which Thales created in partnership with Google, and Bleu, a joint venture between Capgemini, Orange and Microsoft. An alternative option is for a local provider to partner with a hyperscaler, where they operate a segregated hyperscaler environment on behalf of local clients, employing sovereign controls such as data residency, encryption key management and local technical support. An example of this approach is the work T-Systems is doing with Google in Germany.
Data sovereignty can already be achieved on public cloud, thanks to additional control mechanisms that leverage sovereign hardware security modules (HSM), key management systems (KMS), identity and access management (IAM) and security monitoring.
Leveraging the cloud continuum
Another option is to switch to a hybrid cloud strategy, which involves building your own private on-premises environment to secure your most sensitive data, while benefiting from the advanced technology of the hyperscalers in the cloud. Hybrid cloud allows companies to choose what data they want to deploy to the off-premises cloud and what data they need to keep on-premises or at the edge to deliver the edge-to-cloud continuum depicted below.
Private clouds and edge can begin to satisfy the requirements of data protection, geographical localization, control, access and security. By its very nature, a private cloud can be located within the country and dedicated to a customer. Thus, it provides the core building blocks required by enterprises for cloud sovereignty, since workloads and data are under the country’s jurisdiction and fully disconnected from hyperscalers.
On the other hand, it cannot deliver the scalability and cost flexibility of public cloud. Nor can it provide the same pace of innovation. Using a public cloud usually means getting new features every week, a rhythm that a company managing its own private cloud can never match. For this reason, it is all the more important to decide carefully which data can remain on the public cloud and which data will move to on-premises.
How to make the choice
To enable this decision, companies should conduct app assessments and risk analyses, to examine what data they are storing in the cloud and what data is being transformed outside of their jurisdictions. The analysis should also assess the metadata being gathered (including IP addresses, credentials, logins, reports and so forth). They can then classify the different data elements in their environment as public, confidential, restricted or sensitive. Based on that, the company can make its decision.
There are many factors that determine what an ideal cloud environment should look like, and business expertise is one of them. Companies dealing with data of national security importance should, of course, be more wary of using hyperscalers than those who don’t. At the other end of the spectrum, small actors who don’t deal with sensitive data and don’t have the financial means to build their own cloud infrastructure can keep most of their data on a public cloud.
For example, Atos is working with UGAP (France’s national public procurement agency) to provide it with public, private and sovereign cloud services. This is aligned with the French government’s “cloud au centre” (cloud at the center) strategy, which encourages the country’s public sector to harness the potential of the cloud to accelerate its digital transformation.
Last year, Atos also partnered with Dassault Systèmes to offer Dassault’s 3DEXPERIENCE platform at client premises, augmented by cybersecurity services compliant with ANSSI requirements for critical operators. 3DEXPERIENCE is a virtual twin SaaS platform that provides organizations with a holistic real-time view of their business activity and ecosystem in a single collaborative and interactive environment. As such, it requires both the efficiency of the cloud and a secure environment to thrive, especially when critical industries are concerned.
What lies ahead
As we stated at the outset, there is no “one size fits all” solution. It is a spectrum, and the goal is to reduce sovereignty risks to an acceptable level for the customer. 100% sovereignty may not be necessary or achievable — due to both global bilateral data export government agreements, and the challenges of achieving full software and technology sovereignty. Still, actions are being taken to reduce dependency on foreign technologies and secure supply chains like the European Processor Initiative.
We may still have a long way to go on the road to Europe’s cloud sovereignty, but making the right choices now brings us one step closer.
By Nick Law, Head of Cloud Portfolio and Sustainability Portfolio, Tech Foundations
Posted on: November 16, 2022
Read the 1st installment of this series:
Data sovereignty: Is it time to rethink your cloud strategy? Part 1