Every now and then, an emerging technology trend thrusts itself onto the boardroom agenda and becomes a strategic issue seemingly out of nowhere. So it is with sovereign cloud: when we speak to digital leaders at enterprise organizations, they name it as one of their biggest headaches.
Sovereign cloud has emerged from decades-old data protection legislation, centering on how personal and other sensitive data is managed and processed. While such regulations are rooted in the last millennium, over recent years, they have broadened in scope and impact, responding to the significantly increased potential for data misuse and other security risks from the proliferation of cloud adoption.
Personal data regulations like the pan-EU GDPR, national laws across 36 African countries, and statewide regulations such as California’s CCPA, have been supplemented with industrial data and cloud security legislations, for example, the US Cloud Act, or the Cloud Infrastructure Services Providers in Europe (CISPE)’s code of conduct.
The resulting, complex web creates tangible challenges to international business, as organizations stipulate which regional and local laws must be upheld to do business. While the differences between regulations may be small, for example, on what information can be stored, the task of working out where data can be situated and how it needs to be managed falls on technical leadership.
A further exacerbating factor is the more dynamic geopolitical landscape of recent years. Changes to governments and increased global conflicts have undermined trust in international data treaties. Whereas before, it might have been acceptable to host certain data in another country, enterprises now want to store data locally as a buffer against future changes.
These and other factors have driven a comprehensive and urgent need to manage locally sourced data in a way that satisfies local laws and creates confidence that future risks will be mitigated. Straightforward in theory, perhaps, but any response almost immediately hits reality. Organizations already store vast quantities of data across multiple cloud and software-as-a-service providers, which offer only partial visibility and transparency on how and where that data is stored.
Meanwhile, of course, enterprises see data as a major pillar of innovation. Simply repatriating (or indeed deleting) data is not always an option: this could run counter to business goals, even if it were practical. Instead, data needs to be stored, managed, and processed by cloud and software service providers in such a way that addresses the challenges described here.
The term ‘sovereign cloud’ has emerged to describe this response. However, technology vendors, cloud providers, legislative unions, governments, and standards bodies are grappling with the shape of the problem space, which continues to expand to data types other than customer data–for example, operational telemetry and security information.
Business leaders face challenges today and need answers now; they cannot wait for sovereign cloud frameworks and solutions to be defined. So how do they address the dilemma between innovation and control in their business strategies, protecting information as a strategic asset and remaining compliant while still being able to innovate? And what do they need to consider in practical terms?
Sovereignty Challenges and Opportunities
To answer this question, we can consider what sovereign cloud means in real terms. We would first advise separating:
- The principle of data sovereignty, also referred to as digital sovereignty, which impacts how various platforms and data types are stored, compliant, accessed, and securely managed.
- Data-related problems facing the organization, including challenges caused by going cloud-first before sovereign cloud, increased in importance.
Considering principle first, we can identify multiple generic challenges to a business based on this but let’s consider them as a review of an organization’s data assets. While many organizations do not have a good handle on how their data is stored, classified, and managed, it is never too late to review what good should look like in terms of a new or revised enterprise architecture.
An organization’s business models will largely dictate its data needs. For example, enterprises act with suppliers and deliver goods and services to customers, with multiple stakeholders (partners, regulated governmental organizations) involved en route. Specific personal data (e.g., healthcare data or governmental metadata, which must be stored on sovereign soil) may be subject to more rigorous controls than other data types.
In reviewing business models and data requirements, the additional step (brought by data sovereignty) is to consider local jurisdictional needs–treating each as first-class citizens, table stakes to doing business.
Geographic or localized policies and constraints on data storage, processing, and management can contribute to an overall data sovereignty picture. This will reveal multiple business-related challenges that go to the heart of the sovereignty dilemma. For example, consider how users, customers, and businesses want access to their own data wherever they are, which will dictate the kinds of security controls required: for example, it is convenient to use online banking when on holiday, and global companies need to view information about clients wherever they are situated.
If it doesn’t already, the role of the chief digital officer can expand to report on this to be able to answer the question, “What is our sovereignty exposure?” Having collated, debated, and understood what data sovereignty should look like for the organization (the first challenge), attention can turn to how data is currently stored, processed, and managed.
We can consider this in terms of the following:
- The differences and gaps between principle and practice
- What the architecture must look like in practice across cloud providers and on-premise
- How data can be managed according to these needs, based on existing and planned solutions
- What operational considerations should be taken into account
This, too, will reveal several challenges. The foremost issue is that gaps will seem onerous to the point of appearing insurmountable. Simply put, “We’re supposed to manage data for clients in countries X, Y, and Z in a certain way, and we’re not—but we can’t see how we can.”
Rest assured that answers do exist, and multiple benefits come from addressing the challenges. A sovereign cloud smart strategy puts the organization back in control of its data assets, reducing cloud provider lock-in and, indeed, unlocking innovation. In addition, addressing this now will put many enterprises ahead of the competition. There may also be reduced operational costs, as running a well-managed data architecture (required to address sovereignty) is less expensive.
Alongside the benefits, it is worth reporting on the costs of inaction. Addressing sovereignty is a legal requirement, not an option: the risks of inaction can be measured in terms of jurisdictional fines and restrictions on doing business. Meanwhile, the costs of adopting a piecemeal approach are likely greater than thinking strategically due to initial duplication of effort and subsequent needs to align multiple smaller strategies and deployments.
The Solution Approach
So, how to address these challenges and define a way forward? We have already highlighted the need to conduct a strategic review of the organization’s business models, data architectures, and current classifications, incorporating sovereignty. This review will highlight discrepancies in existing architectures and practices and should also offer a set of strategic priorities–these form the backbone of the cloud sovereignty strategy, with benefits set out to support the business case.
With this in place, the organization can move from strategy to action. While the cloud sovereignty strategy may address a business problem, it will be addressed with technology solutions first. As we have already said, there isn’t a one-size-fits-all solution. Providers are still building their capabilities, and in the hybrid/multi-cloud world, enterprises need to look for capabilities that run across providers and jurisdictions.
However, a clear need exists for platforms that offer data sovereignty, residency, and access, including the ability to, for example:
- Classify data by type, importance, policy, and locality
- Apply controls to data centrally and locally
- Customize platforms and associated data policies
- Deliver reports necessary to show compliance
- Move data and workloads between providers without lock-in
- Integrate with other reporting capabilities, e.g., ESG
Given how this space is evolving, technology leadership should look at existing features and roadmaps, as well as functionality within the platforms offered by hyperscalers, as cloud-agnostic software stacks or as third-party capabilities. You will likely need a combination of all three, ensuring they meet your own goals, such as jurisdictional control, local deployment, data portability, and overall cost of ownership.
By assessing the market landscape this way, decision-makers can identify which parts of the strategy can be addressed with existing providers versus where the organization needs augmentation, or change, of provision. This accounts for the costs and overheads of migrating application and data architectures if they’re already deployed and used.
With this information in place, you can create a delivery plan. Be in no doubt that the impact of the cloud sovereignty strategy will be felt both broadly and deeply. You can expect to see:
- Business process change to incorporate sovereignty aspects
- Organizational change, for example, in-country technical staff
- Technical deployments, including instantiation of data stores and backup systems
- New automations, for example, around data classification and policy management
- Operational improvements, including keeping metadata and telemetry in-country
- Skills requirements across both technical and business teams
- Supplier management adaptations to work with local partners
Cloud sovereignty touches everybody in the organization, particularly those in a global role. So, fundamentally, delivering on the strategy requires a change management approach with the usual elements of communication and engagement.
As we have seen in this short expose, sovereign cloud must be addressed both strategically and holistically, as it impacts the entire organization. Unfortunately, the technology industry is still in catch-up regarding solutions provision; nonetheless, enterprises cannot afford to wait, as this leaves them legislatively exposed.
Of course, it is impossible to put together a cloud sovereignty strategy overnight, done correctly. However, there is no time like the present. Sovereignty is a necessity, not an option, and the market landscape will become more clearly mapped out in the coming months.
Equally, after attempts to make the journey to a singular cloud provider, most organizations today still operate a hybrid, multicloud environment. By aligning data sovereignty with this broader cloud strategy, organizations can deliver the architectures they need to drive innovation, whether elements of these run with local providers, hyperscalers, or, indeed, on-premises.
Fundamentally, a well-controlled data architecture becomes an asset to the business rather than a liability. Let nobody underestimate the scale of the challenge, but unlocking sovereignty also provides the keys to the digital enterprise.