Deciphering the Sovereign Cloud
In the sixth edition of this magazine, we took a deep dive into digital sovereignty, defining it as the degree of control an organization has over its entire digital environment.
When applied to a cloud environment, sovereignty differs from security by considering the sovereignty risks induced directly or indirectly by cloud providers. The primary indirect risk is foreign interference using an extra-territorial law or government pressure on the cloud provider. Hence, a sovereign cloud is a local concept with a different answer from one country to another.
We could define sovereign cloud with a risk-based approach, saying it’s a cloud environment that covers at least part of the sovereignty risks. However, in some countries (especially in Europe), it is mainly defined by a certification issued by a national agency such as SecNumCloud in France, C5 in Germany and ENS in Spain.
We would also like to emphasize that sovereign cloud is too often reduced to data confidentiality, but availability is just as important. What if your most business sensitive service goes down with no way for you to restart it or recover your data?
Now that we have defined the key features of a sovereign cloud, let’s take a look at what it requires for cloud providers and customers.
A cloud provider’s journey to sovereign cloud
Outside of the USA, there are two cloud service provider profiles that emerge from DC operators.
These providers host and operate their services in-house, using a mix of off-the-shelf products and their own technologies to build a solution that they host and operate by themselves. With their local footprint and clear role, even when depending on foreign technologies, they are the first to achieve sovereign qualifications such as a certification by the French SecNumCloud, on a limited subset of services (mostly IaaS) covering a small to mid-size capacity.
While their current concern is to expand their services portfolio, this may create staffing challenges for building services and running activities. Should they create technologies from scratch or buy them from another tried and tested manufacturer?
Additionally, they want to be able to operate at scale, inducing more automation needs and triggering some local footprint questions when settling in new geographic areas.
- These providers have the largest portfolio of services to offer, armed with an understanding of customer requirements, faster innovation .
- They ensure a very high level of confidentiality versus third party disclosure.
- However, their global hosting and operations make them appear not to be sovereign — except from their home country.
- With high levels of industrialization and a least privilege approach deployed across their systems, hyperscalers score high on customer data confidentiality. They will continuously release new services to give customers more control for critical security elements.
- They invest a lot to demonstrate that confidentiality of customer data is preserved against the hyperscaler tools and personnel as well, and particularly on promising Privacy Enhancing Technologies.
- However, for availability governed by the strictest certification schemes, their main challenge is to guarantee the localization of the whole stack hosting and operations. Even for locally hosted data centers sold in the region, they must clarify boundaries and dependencies between services to co-locate them. Most hyperscalers either rely on creating local entities for operations, or partner with local players.
Moreover, service providers that do not operate data centers (like SaaS) face sovereign challenges as well. Consuming services from certified sovereign cloud providers is not enough for them, they must implement additional security controls for their SaaS operations, and may optionally apply for a sovereign qualification as well.
A customer’s journey to sovereign cloud
Even if sovereign cloud is a hot topic in Europe, not every customer may need it. Customers need to first assess their requirements with a formal risk analysis. This risk analysis must consider the different sensitivity levels existing in their information system, which may not require the same level of sovereignty. Once this assessment is complete, a sovereign cloud may be their answer to the sovereign needs identified. These needs can be broadly categorized as follows:
Compliance with regulations and laws
Some standard public cloud offerings, especially from foreign cloud providers, may be incompatible with regional laws and regulations. In that case, the easiest way may be to use a certified sovereign cloud whose certification scheme ensures compliance with specific requirements. Alternatively, a risk-based approach must be taken.
In the future, especially in Europe, we foresee laws that will require certified sovereign cloud for some activities such as for Critical National Infrastructure.
Protection of business strategic data
Most customers have highly critical data like industrial secrets, innovations or even customer databases that need a high level of sovereignty. To maintain control over this data while leveraging cloud, they need to select a sovereign cloud with a risk-based approach. In a previous article, we shared a methodology to identify the sovereignty level required by different customers.
Once the required level of sovereignty is established, an important criterion for choosing the target sovereign cloud solution is the customer’s expectations about the cloud features they need. As described above, cloud providers’ sovereign services catalogs are not equivalent, and won’t match the same functional needs, depending on the customer’s cloud maturity level.
There are at least two different types of customers here:
Cloud customers focused on IaaS
For these customers, the focus is to migrate to the cloud for the agility, capacity and/or cost reduction it brings, but without transforming their applications. For them, all sovereign cloud service providers will fit their functional needs if they offer IaaS services.
Cloud native users
These customers want to benefit from cloud SaaS and PaaS services even in their sovereign cloud, because they are already using them for less sensitive perimeters. For them, it is currently very difficult to find a good compromise. Most SaaS providers fall into this category.
Sovereign cloud: navigating the challenges ahead
In conclusion, the sovereign cloud market is still being shaped by three key dimensions that influence each other:
- Emerging certification schemes and regulations
- A constantly evolving landscape of sovereign services by cloud providers that lacks variety
- Customers’ uncertainty about business and compliance requirements and timelines, and hesitation to zero in on the need for sovereign cloud
Finalizing a business strategy that incorporates a sovereign cloud demands time and an organization-wide commitment. While this article has outlined the different types of players in the sovereign cloud environment, both service providers and customers need to map their internal business goals and chart their own journey towards sovereign cloud.
Contact your Atos Business partner today to understand if sovereign cloud is the best response to your future business requirements and learn how Atos OneCloud Sovereign Shield can enable your journey.
Learn more about Atos’s cloud offerings at https://atos.net/en/solutions/cloud-solutions/onecloud.
About the authors
Cloud Solutions Architect, Atos
Vincent joined Atos in 2021 as a Cloud Architect. He has a strong background in cybersecurity securing private infrastructures for the Defence and Space verticals, including customer requirements shaping, design and implementation phases.
Vincent is currently part of the Southern Europe Technical Office, and member of Atos Scientific Community.
Cybersecurity Global Business Development, Atos Senior Expert
Pierre Brun-Murol is part of the Cyber Security Global Business Development team at Atos. He has always worked in the Cybersecurity domain and since he entered Atos in 2013, he contributed to various major cybersecurity projects and pre-sales in numerous cybersecurity areas of expertise: SIEM/SOC, Privileged Access Management, Cloud Security, etc. He was previously in charge of the portfolio for cybersecurity offerings in France. He is actively involved in innovative initiatives both internal and externals with global partners. He is also appointed an Atos Senior Expert in Cyber Security.
Pierre holds an Engineer degree from Supelec and a research-based master’s degree in applied sciences (Computer Engineering) from Polytechnique Montreal.