Can you risk avoiding cloud sovereignty?
With the increased adoption of multi-cloud strategies among organisations comes the need for increased attention to security, particularly regarding sensitive data, data classification, privacy, and sovereign clouds. Sovereign clouds are managed and operated privately or through a third-party sovereign cloud provider, often used for sensitive data and applications. Sensitive data may have a broader scope than people realise and can vary depending on the context and the industry the company focuses on. For example, in healthcare, sensitive data might include medical records, while in finance, it might include financial records and credit scores. In government, it might include classified information related to national security.
Unfortunately, many organisations still need to be more open to using sovereign clouds, despite the risks of avoiding them. And there could be several reasons for this:
- Awareness – the need for more awareness or understanding of the concept of sovereign cloud and its benefits.
- Comparisons – concerns about sovereign cloud solutions’ availability, performance and costs compared with public cloud ‘hyperscale’ offerings.
- Legal and regulatory barriers – data sovereignty and compliance requirements may prevent organisations from adopting sovereign clouds.
- Status quo – stick with the cloud providers they are already familiar with and have invested in rather than exploring new options.
However, avoiding sovereign clouds and using public clouds can pose several risks to an organisation’s security and privacy.
Firstly, public clouds are typically owned and managed by third-party providers who may have different security controls and protocols than in your organisation. This means your data could be vulnerable to unauthorised access, theft, or misuse by hackers, insiders, or other malicious actors. This is something recently highlighted by President Biden, that there needs to be regulation of the security practices in the public cloud, which poses a considerable risk for sensitive data.
Public clouds also often rely on shared infrastructure; the data and resources of multiple organisations are stored and processed on the same servers and networks. This increases the risk of data leakage or cross-contamination, where sensitive data could accidentally or intentionally be accessed or exposed to other users on the same platform. Shared platforms come at a functional cost, typically security and performance. Resource contention and degraded performance can exist depending on the underlying hypervisor used in the public cloud. Public clouds often limit the computing, network, and storage resources customers can use to work around this, resulting in high costs vs. resource performance and many customers moving workloads out of their cloud. Recent examples include basecamp and 37Signals.
Additionally, public clouds are subject to legal and regulatory requirements that may not align with an organisation’s security and compliance needs. For example, public cloud providers may be subject to foreign laws such as the U.S. Cloud Act or government surveillance such as FISA, which could compromise the confidentiality and integrity of the classified data. In Europe for example, the U.S. Cloud Act raises concerns about the privacy and data protection of EU citizens, as it potentially allows US authorities to access their personal data without sufficient safeguards or oversight. In summary, it conflicts with the EU’s General Data Protection Regulation (GDPR), which requires companies to obtain explicit consent from individuals to process their personal data and ensure adequate data protection measures are in place. Consider data in all its forms including metadata, telemetry data, accounting data and support data, the sphere of influence to consider is much larger than you think. Exposure has been documented many times in the press.
The organisation should control the management and visibility of its data as it is stored and processed in a third-party environment. The public cloud needs more standardisation across the public (multi) cloud to allow the organisation ability to audit, monitor, and enforce security policies and procedures. Public clouds are highly distributed and complex, making a comprehensive view nearly impossible. This is compounded by a shared responsibility model for security where customers are responsible for using the public cloud features to secure their own data. The public cloud is very good at rapid scaling, which can challenge keeping track of security policies over multiple resources.
Finally, all public clouds have differing capabilities and toolsets, creating challenges with the levels of security possible but also the enforcement of security.
Overall, the risks of putting any data in a public cloud can be significant, and organisations should carefully evaluate and mitigate these risks before deciding to use such services.
However, is sovereign cloud a nirvana?
Organisational concerns about sovereign clouds range from solutions’ availability, performance, and cost to traditional public cloud offerings. But to what extent are they legitimate? Let’s dig a little deeper to find out.
Firstly, let’s start with availability. Sovereign cloud solutions may have a different global reach and availability than traditional public cloud offerings; a view could be that this limits their ability to support geographically dispersed workloads and users. Sovereignty is not a global matter but a national one or shared region in the EU, for example. Sovereign cloud solutions ensure high availability within national geographies and data centers within the Sovereign region; going across borders would mean differing jurisdictions and laws about all aspects of data and cloud. Ensuring the availability of data and services is critical for operations that Sovereign cloud providers manage, such as operations of national interest.
Next, it’s important to consider performance. Sovereign cloud solutions, like all cloud solutions, will have different levels of performance and scalability than public cloud offerings. This could be viewed as limiting their ability to handle high-volume, resource-intensive workloads. Sovereign clouds are built and designed to meet sovereign customers’ needs; many Sovereign clouds operate at very high levels of availability, exceeding public offering capabilities. Operations of national interest and specific verticals have unique application requirements.
Another factor to think about is cost. Sovereign cloud solutions may be more expensive than traditional cloud offerings due to higher operational costs, lower economies of scale, and the need to maintain specialised infrastructure and talent. Cost is a critical cloud component, and partners such as VMware Cloud Providers work on a pure consumption model.
Sovereign Clouds deal in security and compliance; sovereign cloud partners invest significantly in the enhanced vetting of personnel, infrastructure, and systems aligned to the data classification and industry vertical, which you will not find available in public clouds.
Granted, regional cloud providers do not have economies of scale like public cloud providers, but in terms of volume, many Sovereign cloud partners have very large cloud estates. For example, OVH Cloud in France builds its own hardware and has 100,000s workloads running in its environments.
The final point to consider is innovation. Sovereign cloud solutions may have a different level of innovation and feature development than traditional cloud offerings, limiting their ability to keep pace with evolving business needs and technology trends.
Thinking about this differently, public clouds, to be resident, must limit their portfolios to only those that can be resident, separated from SaaS control planes, and this limits innovation.
Innovation can be seen in one or two ways; that which is out of the box (SaaS and PaaS) and that which must be built using new infrastructure and services. An out-of-the-box solution, such as an industrialised cloud solution, could be great to get going quickly. Still, it is potentially a considerable concern for compliance and security. Whereas building a solution to meet your needs offers the opportunity to consider compliance and security from the get-go (which should be a best practice). With data compliance, regulation and governance of data privacy and industrialised data still evolving, it is better to innovate and involve all lines of business to build the right solution.
A sovereign cloud has a critical place within a multi-cloud strategy. The question is, do you want to accept the risks involved in avoiding it?