After 2013, when everyone found out about PRISM, the US National Security Agency surveillance program, which collected data not only of the US nationals, but also abroad, the rules of digital exchange have started shifting. Over 145 countries now have a legislature on privacy — and it envisages the processing of all citizens’ data within the borders of their state. This was how demand for sovereign clouds emerged.
According to VMware Explore US estimates, the sovereign clouds market will reach $60 billion by 2025. Little by little, the companies choose this solution — VMware and IDC research shows that 53% of organizations on the planet plan on increasing the sovereignty of their infrastructure by 2028. But now they face such obstacles as high price and complexity in building a supremely secure system.
In this article, we show why everyone wants to have a sovereign cloud and how this service will soon be the standard of practice.
VMware Sovereign Cloud
One of the most common concepts of cloud sovereignty is the system developed by VMware. The company developed a special framework under its initiative, uniting cloud providers committed to data protection. The main idea of the company’s concept is that all data hosted in the cloud remains under the exclusive control of the country where it was collected, and operations with this data are conducted under national law.
If we look closer, according to VMware, a sovereign cloud:
- protects critical data of private and public organizations;
- supports the national economy;
- uses security mechanisms that are tested and approved at the state level;
- ensures compliance with data privacy laws;
- improves client control over information.
Types of Sovereign Clouds
There is no single perfect concept of a sovereign cloud — each provider offers its own vision of this service.
One of the most stringent sovereign cloud models is offered by the American provider Oracle. It includes the following requirements:
- Physical data storage within one country;
- The client controls who access their information and from where;
- Technical support and server maintenance are provided only by citizens of the same country;
- The cloud complies with the laws of the country where it is located;
- There is a dedicated server connection to the internet.
Oracle has also developed a sovereign cloud tailored for the EU, allowing corporations operating within the European Union to instantly access infrastructure that complies with GDPR (General Data Protection Regulation), European Data Protection Board recommendations, and other regulations.
Google Cloud does not have its own standalone service of this type, so it forms partnerships with local telecom companies to create sovereign clouds in different countries. Currently, the system operates smoothly in Germany, where the local company T-Systems has an exclusive ability to control the infrastructure on the Google Cloud platform, and the tech support consists only of EU citizens. Similar services have been implemented in France, Italy, and Spain.
Microsoft launched its sovereign cloud, Cloud for Sovereignty, in July 2022. It operates through over 60 Azure regional data centers, providing access to all standard Microsoft cloud services (Microsoft 365, Dynamics 365, and the Azure platform) and allows users to manage the placement of their data in these services and other cloud-deployed products.
Amazon Web Services claims that their clouds are “sovereign by default,” and in 2022, they introduced the Digital Sovereignty Pledge, promising “uncompromising control” over their clients and their compliance with sovereignty requirements. Users independently choose where their data is stored, who has access to it, and how it is encrypted.
Why It’s Needed
Regulatory requirements in certain sectors call for the use of a sovereign cloud, particularly in government, financial services, and healthcare. It is the very data that must be specially protected from external interference, as it involves state secrets and other confidential information that is especially vulnerable to malicious actions.
In general, businesses don’t always need a sovereign cloud, but it’s recommended — the practice makes it easier to comply with regulations like GDPR, improves the reliability of the company’s operations, and guarantees that customers have no issues with data protection. This is especially convenient for small and medium businesses, which may not have the resources to keep up with all the information security requirements — it’s easier to delegate such tasks to a trusted cloud operator.
When a service provider employs only citizens of a given country, collaborates with local contractors, and pays all taxes and fees into the national budget, it supports the local economy. Additionally, it’s easier to handle payments with it: since the provider’s legal entity is registered in the same country, payments are made in the same currency, and the contract operates under a single legal framework.