With cloud sovereignty a hot-button topic, businesses might be thinking they too need to jump on the bandwagon. However, industry players tell ITPro that it's still very much a public-sector play.
Often confused with data sovereignty, the sovereign cloud concept is more about the frameworks governments put in place to gain or maintain control over the national cloud environment.
"It's broader than having sovereignty over your data," explains Eamonn O'Neill, chief technology officer and co-founder at cloud services and solution provider Lemongrass.
Sovereign cloud data may entirely reside within national borders and comply with that country's laws and regulations - as per data sovereignty and data residency. However, with sovereign cloud there's typically a further implication - that the data has reduced risk of being seen or accessed from another nation-state.
Multiple governments have stated interest in developing sovereign clouds, from Egypt, Singapore and the United Arab Emirates (UAE), to Germany, Equatorial Guinea, Ireland, and beyond – in fact, Oracle boss Larry Ellison is betting big that every country will soon have its own sovereign cloud.
O'Neill says governments may want more control beyond what hyperscalers currently offer, and for them the economics can work versus many business or private-sector customers.
"Most enterprises are quite happy with cloud provider controls because they're audited against so many standards," says O'Neill. "Users of Azure, Google Cloud Platform (GCP) and AWS get incredible control frameworks by default, and that's usually enough for enterprises."
That said, cloud service providers (CSPs) might still need to cover off sovereign cloud, which might typically be a more or less fully disconnected version of a cloud environment with limited functionalities.
Sid Nag, US-based analyst and vice president for cloud and AI services and technologies at Gartner, argues that offering full data sovereignty to business customers requires a thorough understanding of local regulations, data protection laws, and sovereignty requirements.
Advantages of sovereign cloud: Demand for control and transparency
Nag notes that effective service delivery in sovereign cloud environments specific to a region or country may in some cases entail the creation of local partnerships to manage and operate public cloud regions dedicated to serving specific country needs.
"Some providers offer their services as private cloud deployments, sometimes with a fully disconnected capability, with the same service catalog and user experience as public cloud deployments," Nag adds.
CSPs must ensure they can provide independence, autonomy, and technology control through disconnected cloud environments if they are to meet the highest achievable state of sovereignty for end-user organizations, he warns. Disconnected sovereign options might run as a regional offering, a country offering, or on customer premises to fulfil this requirement. Done right, feature and service parity can offer a consistent global cloud experience, and CSPs have roles to play.
"Treat partnership activities as a strategic asset to focus on addressing customer sovereignty requirements by including partners in your local sovereign cloud go-to-market strategies," Nag advises. "Either through a joint venture or a strategic partnership, depending on sovereignty requirements of the region or country."
For Nag, customers including businesses and perhaps some individuals may want a fully sovereign cloud – and not just because everyone is talking about it.
"They most certainly do, because the use of [public] cloud services continues to expand and is becoming critical for a growing number of workloads in both the public sector and commercial organizations," he says. "Governments and other regulators publish increasingly strict guidelines and regulations regarding cloud services for critical or sensitive workloads."
Sovereignty requirements stipulate that customers’ usage of what's typically understood as public cloud must be immune from the impact of foreign laws and mandates; sovereignty overall has become a key requirement for consideration alongside other controls requirements such as security, resilience, residency and privacy, he agrees.
It's about continuing to benefit from increased flexibility and scalability of cloud versus on-premises storage while addressing data storage and management.
"Governments [and others] want to be able to put their hand up in the wind and say they know that this is secure, against the controls," Lemongrass's O'Neill agrees, noting that it's not about hiding data and information so much as supporting the ability to connect. "They want to see, and demand, those controls. Developing sovereign clouds is a sort of compromise, if you like. It's about how to take advantage of amazing technology but also have things your way."
Disadvantages of sovereign cloud: Cost, complexity, and compliance
O'Neill adds however that cost and complexity are two of the biggest potential drawbacks – as with many other technological advances. Cloud, of course, is rarely straightforward, with current burdens and risks including security, finance and cost.
Mark Boost, chief executive at cloud services provider Civo, agrees, although he believes that walling something off can be restrictive, in the sense that it can prevent specific actions.
Some investments in sovereign cloud have focused on hosting of government services – potentially putting all their eggs in one data center. That can be risky and complicate how countries support or work with data centers, IT providers, and other entities.
Then there’s the issue of compliance. In December 2023, Microsoft announced it was making its sovereign cloud available to all regions, including Europe, as if realizing that if it didn’t it could lose business. However, Microsoft remains a US company, and the US Cloud Act allows access to any data hosted on its platform.
"That data can flow out of Europe to the US. The fact that it can happen means it's not sovereign, Boost tells ITPro. "The devil can be in the detail when it comes to sovereignty claims. What's truly needed is full transparency of what that means in each case," Boost says.
Similar moves have been made by other cloud giants, most recently AWS, which has also been forced to contend with the thorny issue of compliance. It revealed in May that it would be investing €7.8bn over the next 15 years as part of a new sovereign cloud region, including much tougher rules that allow customers to keep all locked inside of the EU.
Customers may need to consider who their partners are across their supply chain and where they are based. If it's in another country, who has access to the data? What happens if their technician or someone else logs on - for example when there's an issue - to access that data? Those situations may all need to be considered before claiming to offer full sovereignty, argues Boost.
Choices of provider and strategy might be limited, although perhaps not in a country like the UK that's generally developed all the services required. A smaller country might only have a small data center with a subset of services. And where there are cloud sovereignty guarantees written into service level agreements (SLAs), the cost might rise, especially for smaller businesses, Boost agrees.
As usual, it's all a moving target as compliance and regulation continue to evolve.
