With enterprises moving to the cloud, legislation has caught up and now enterprises struggle with staying compliant. The trend has also given the rise to the term ‘sovereign cloud’ that crops up more and more in vendor marketing and offerings.
Over in Europe, where there is a substantial percentage of cloud skeptics, privacy concerns used to rule; now, sovereign cloud is sometimes used as an argument that “the cloud is not ready”. That is a dangerous hold out position as competition-changing adoption of IT only happens in the cloud. From lakehouses over IoT, to advanced machine learning, to the first artificial intelligence use cases, everything happens in the cloud. Moreover, SaaS vendors have either brought their offerings or are amid bringing their offerings to the cloud. So, the cloud is unavoidable, and we are nearing the stage where holding out will not only be detrimental to an enterprise’s success, but also coming close to affecting its wellbeing. When you hear the sovereign cloud argument to delay and/or challenge a move to the cloud, do not allow for that argument. In other words, do not bet against the cloud.
Unpacking sovereign cloud
For a long time, legislation has stayed behind the cloud race, and only recently has it caught up and started to regulate cloud activities of enterprises. The key legislative pieces are Europe’s GDPR legislation from 2018 as well as the US CLOUD Act.
When looking at sovereignty in the cloud there are the following key aspects and variables:
- Location. Obviously, location matters, as nations and combinations of nations (e.g. the EU) legislate where locations for certain workloads must reside. One obvious example is how government workloads need to stay inside their respective country.
- Access control. The next is all about who has access to the system and the data. Can an enterprise control that 100 percent? The question to ask the cloud provider here is – can the workloads be set up in a way that the cloud provider has zero access and visibility?
- Operators. When using third-party operators, the question is where do they reside, which passport(s) do they have, in order to understand potential pressure that can be used towards the operators who have access to the data, to get to the data from a foreign power.
- Support. The same question needs to be posed to the same operators in regards to the personnel that are providing support. Where do these people reside, which passport(s) do they have and what access do they have? A cloud workload might be 100 percent sovereign requirements compatible, and as such fail in this regard.
- Network security. Nefarious government and non-government actors are likely to try to get access to sensitive data via the network. Here the key aspect is how a cloud provider can separate the access; the capability to ask for in 2023 is the “air gap” between different network domains.
- Code inspection. Even if all requirements above are met so far, an upgrade with malignant code/spyware may still leak the data to interested parties. Therefore enterprises need to question and ask for the cleanliness and safety of code used for their workloads. This area – the whole software supply chain control – is a nascent one in security and will get more attention in 2023.
- Data storage. One of the key aspects of sovereign cloud is where the data is being stored exactly. Legislation has so far primarily focused on location. The challenges for enterprises that need to operate globally but must segregate their data are taxing ones.
- Data processing. It is one thing in how data is being stored; it is another in how it is being processed. Legislation often leaves a hole when it comes to putting data into memory, as data is not kept prolonged there. But technology has progressed in the memory stakes, and more data is kept for longer times in memory. Enterprises need to understand how and where data is processed, and may reside memory-wise in non-sovereign cloud compatible locations, leaving them open to potential data theft.
Do not forget – industrial espionage
The conversation around sovereign clouds typically only accounts for state actors. That comes as no surprise as states want to guard themselves against actions from other states – but the challenge for an enterprise is much more the not-so-ethical competitor who is going after data, intellectual property and trade secrets. When states support their enterprises in this effort, things can get bad quickly. So CxOs need to pay attention to the risk of data being subject to industrial espionage – and that is independent from the data being in the cloud – or on premise.
Nefarious government and non-government actors are likely to try to get access to sensitive data via the network.
Do not forget – social engineering et al.
The most likely source of data breaches is through good old social engineering, where bad actors get access to systems using the credentials of (more or less) naïve employees. This is a risk to address both internally and with cloud vendors, as the best protection and compliance all fail when a social engineering approach breaches your data.
The dirty secret
So far most large enterprises have operated out of either the US and the EU, making sure they are compliant with US and EU sovereign cloud requirements – and ignoring the rest of the world. The challenge for enterprises is that fragmenting data makes their cloud processing more expensive and at the same time reduces visibility and the ability for enterprises to take action on the data. Compliance with sovereign cloud requirements is effectively creating what I dub enterprise deceleration – something CxOs do not want in the era of enterprise acceleration being paramount for enterprise success.
A good example was the recent Schrems II judgment of the Court of Justice for the European Union that annihilated the EU-US Privacy Shield, but still allows standard contractual clauses (SCCs) between data exporters and importers. But these need to be vetted on a case-by-case basis. Did you update all SCCs with the new EU template by December 27th 2022, dear reader?
Also, as far as SaaS applications are concerned, the vendors pretty much punt the question to enterprises: decide if you want to deploy in either the US or the EU. Today’s SaaS architectures do not do well with disparate data sources, so for enterprises to keep global visibility and execution capabilities is a major challenge.
Here are my recommendations:
- Understand your workloads. Understanding your workloads has always been important, but for sovereign cloud considerations it is critical. Some are more critical and need more attention; others are not. Categorize workloads into very critical, critical and non-critical.
- You need a chief data officer. Legislation and court cases in this field move so fast, enterprises need someone who cares about data, so it is time to establish a chief data officer. Depending on the importance of data, have the new role take care of sovereign cloud compliance or create an additional watchdog with a chief data -privacy officer.
- Get the risk balance right. It is clear by now that achieving 100 percent compliance for enterprises is not possible. Not only is there an ongoing cost to compliance, but data fragmentation practically slows enterprises down. If the competition is not following the compliance, it may well get the upper hand. No state is going to bail out an enterprise that has gone under because of sovereign cloud compliance. Consider that potential fines might be painful, but a potentially necessary risk to incur.
- Look for cloud vendors. The good news is that cloud vendors have woken up to the topic, providing more locations than ever in multiple key economies around the world, with a mixed set of operator, support and networking options to choose from.
You need a chief data officer. Have the role take care of sovereign cloud compliance or create an additional watchdog in a chief data privacy officer.
Compliance is hard and expensive. The new extent of the regulation introduced by sovereign cloud requirements is that it may take a business out of business, as such. My local newspaper, The San Diego Union Tribune, decided not to be available inside of the EU, because of the burden of GDPR legislation. When a media company opts out from being global, leaving its subscribers stranded in certain regions, you can see that as the first warning regarding the cost of regulation.
For enterprises, it is all about striking the right balance between regulation and business agility, with an eye on the behavior of the competition. Staying and remaining competitive must be the foremost goal of all CxOs. In conclusion, when it comes to regulation, compliance and sovereign cloud, it’s time for a reality check to stay as ruler of your own world, and not end up a rube.