The realization that ‘the cloud’ is not, as Californian marketers have long pitched, some borderless fog of code in the sky, but primarily about data centers built on land under local regulations, is dawning on businesses. At least, according to a recent report from services giant Capgemini.
The proliferation of cloud infrastructure, and on-demand services, software, storage, and computing, has brought “cloud sovereignty” to the fore.
A key issue is data sovereignty - where data is stored and who can access it, under what circumstances. Another is perhaps more challenging - operational sovereignty, in terms of who the provider is and how easy it may be to decouple from them, if they are not based in the same nation or region as the client organization, or their preferred legal jurisdiction. Technical sovereignty is another key consideration.
The global context is that organizations are becoming increasingly tied to the fiefdoms – and sometimes walled gardens – of a handful of large suppliers, without always being aware of where their data is held, and who is really in charge of the considerations listed above.
The report, The Journey to Cloud Sovereignty, says:
Cloud sovereignty is falling under increasing scrutiny as organizations and governments strive to limit their external exposure and retain control over critical assets in the wake of rising geopolitical tensions, shifting data privacy laws, and the dominance of select cloud players.
Worldwide spending on cloud services is expected to reach $1.3 trillion by 2025, says the report, reflecting an annual growth rate of nearly 17% – doubtless accelerated by the pandemic pushing many operations into the cloud to support a greater need for remote working.
For many enterprises, the cloud is both an aspiration and a destination – almost a creed: Capgemini quotes Chris Nims, SVP of Technology at financial services firm Capital One Financial, saying:
We declared the cloud as our destination, which began with the declaration that anything new could only be built in the cloud. We didn’t just do it in pockets ... we made the declaration that we go all in.
But the report explains:
Although organizational definitions and levels of understanding of cloud sovereignty vary widely, our research reveals that factors and concerns that are closely linked to sovereignty are gaining importance when organizations formulate their cloud strategies.
In particular, the importance of security, transparency, openness, and interoperability is reflected in the worries that organizations have about their current cloud environment, says the report:
A CEO of an Australia-based private healthcare organization, comments, ‘In hospitals, your storage is enormous: you have confidential patient records and hospital information systems such as PACS [the Picture Archiving and Communication System], with all the medical details on patients.
'Here, cloud has a lot of benefits, as it gives doctors and nurses easy access to prescribe or check on their patient from their home or anywhere. However, it is a threat if this data gets into the hands of non-authorized entities, which can be a possibility if it is a non-sovereign cloud environment. This is a big concern among many healthcare CEOs today.’
Such fears are not without foundation: at a pre-Covid policy conference in London attended by representatives of the Information Commissioner’s Office (ICO), banks, large enterprises, charities, and government departments, many speakers – when asked directly by diginomica – admitted that they had no idea where, geographically, their data is held or processed at any one time.
The context of that question was Brexit: the likelihood that the UK would, at some point, tear up GDPR and thus put Britain’s fragile data adequacy agreement with the EU at risk. That scenario is now coming to pass, and yet research typically shows that a majority of UK organisations still host services or store and/or process data in Europe at least some of the time, because that’s where most large cloud providers have located their data centers.
These specific concerns are largely absent from the Capgemini report, except as overarching themes in a global context. For example, the report says that 66% of organizations “globally and in the public sector” consider local/regional data-centre offerings of cloud vendors to be a key selection criterion.
The European Commission (EC) has been at the forefront of rolling out initiatives that allow the region, organizations, and individuals more control, choice, and autonomy over their data, systems, and applications in the cloud.
Capgemini’s research reveals that 69% of organizations are concerned about potential exposure to extra-territorial laws in a cloud environment, rising to 75% in manufacturing and 74% in life sciences. European countries, ever alert to the growing dominance of US Big Tech companies, are especially concerned about cloud or data sovereignty, in terms of who may have access to privileged data.
Across all sectors, an average of 73% of respondents have security or resilience concerns related to public cloud vendors, with 67% worried about operational dependency on providers outside the home nation’s jurisdiction.
Organizations are also becoming more concerned about how to control the flow of data across boundaries and how to contain data in certain regions within the cloud environment, says Capgemini:
Our research shows that factors related to sovereignty are gaining influence when organizations are selecting a public cloud platform provider. As the director of a leading industrial automation firm states: ‘When selecting a cloud provider, the key factors to consider include: Where is the data stored? Is the data safe and secure? Is it encrypted at rest and when in transit? And regarding the longevity of the data and also audit: Is that company getting audited? Is there a third-party auditor that audits the safety and security of the data and, most of all, is there vendor transparency? Transparency is very important because, if the data gets subpoenaed by an agency or federal government, it is necessary to be informed that the government agency is asking for data about the company.’
However, the core issue in Capgemini’s estimation is this - cloud sovereignty is driven externally by regulation, and internally by organizations’ need to control their data.
Yet currently, many organizations are limiting their definitions of cloud sovereignty to data localization – with 43% of organizations focused on keeping their data within their preferred jurisdiction. Only 14% define cloud sovereignty as the exclusive use of cloud providers based in the same legal jurisdiction and storing data within the borders of a country or region.
This shows that, despite organizational concerns around potential exposure to extra-territorial laws, only a few organizations are expecting to decouple from their current cloud providers. Rather, they are focusing on the possibilities for innovation and scale provided by hyperscalers, and are looking to their service providers to afford options for managing their sovereignty issues.
In short, many are leaving it up to their providers to fix. The flipside of the coin may be there is no comparable provider locally.
Beyond data localization, organizations also expect cloud sovereignty to build trust, foster collaboration, and accelerate the move to a data-sharing ecosystem, explains the report:
60% of organizations believe that cloud sovereignty will facilitate sharing data with trusted ecosystem partners and 55% of organizations believe it offers more collaboration opportunities. Sixty-three percent of organizations believe that cloud sovereignty will provide them with a secure, trustworthy environment for data storage. Organizations also indicate viable use cases such as collaboration-led data platforms, data exchange, and collaborative real-time monitoring to start their cloud sovereignty journey.
So, what does Capgemini recommend that decision-makers actually do to manage this complex issue?
The report suggests a four-point plan: Define, Assess, Align, and Develop:
• Define sovereignty objectives; understand the laws of the land for digital sovereignty; track key developments in the cloud and data- sovereignty space; continuously assess risk exposure; and set up a compliance organization.
• Assess cloud providers through a sovereignty lens – including data sovereignty (for data residency, controls, transparency, storage, back-ups, etc.); operational sovereignty (for security, compliance, and operational resilience); and technical sovereignty (to assess interoperability, migration features, and clear exit policy/process).
• Align for a flexible cloud architecture: Identify your sensitive workloads and most viable use cases; consider end-to-end encryption, as well as key management solutions. At the same time, evaluate hybrid options, and prepare for a multi-cloud architecture by understanding the potential as well as the challenges it brings.
• Develop the potential of sovereign cloud by exploring its value proposition in terms of trust, security, and collaboration through ecosystem participation.
A timely and useful report that addresses a critical issue, one that is often obscured by market-led messaging.