Using cloud services has now become an essential component of digital transformation. However, the dominant cloud service providers are not European and, following the recent Schrems II judgment, transferring personal data to these services has become increasingly problematic. This is just one factor behind the increased interest in the idea of the sovereign cloud.
The Impact of Globalisation
Globalization has provided many benefits allowing nation-states and organizations to obtain what they need, when they need it from wherever it is cheapest. This has reduced the costs for citizens and businesses alike but has created an increased dependency on ever more extended supply chains. The COVID epidemic and subsequent supply chain disruptions have called this approach into question. The notion of the sovereign cloud needs to be seen in this context.
Cloud sovereignty involves several areas, these include but are not limited to the protection of personal data. It also includes the protection of intellectual property, commercial secrets, as well as other forms of sensitive information. It concerns the influence that service users have over the legal frameworks that bind the service through a say in government. Also, their confidence in service continuity not only in the event of natural disasters but also of geopolitical conflicts.
The Sovereign Cloud
The idea behind the sovereign cloud is to ensure that the services provided are within the control of the jurisdiction where it is used. This can be achieved in several ways through legal, and technical measures as well as physical location. Within Europe, there are already several cloud services that are locally owned and delivered. However, these services find it hard to compete against the level of functionality provided by the global hyper-scale cloud services and the economies of scale that they enjoy. Therefore, using purely local providers often involves increased costs and or reduced functionality.
Another approach is for state-sponsored projects. However, these have a chequered history when it comes to innovation and, in any case, the richness of the existing hyper-scale cloud services leaves an enormous gap to close. Therefore, quite sensibly, the European GAIAX project does not seek to replace the existing cloud services but rather to increase local control. Google, together with other hyper-scale cloud providers, is a founding member of GAIAX.
Privacy of Personal Data
This Schrems II judgment has crystallized the risks around the privacy of personal data highlighting the differences in the rules between jurisdictions. The consequences of this judgment are still being played out and can be very disruptive. For example, the Portuguese Information Commissioner gave the Portuguese Census Office twelve hours’ notice to cease and desist from using a US based cloud service.
The use of cloud services that are owned and operated by providers that are outside the jurisdiction where they are used creates a risk. This is that a provider in another jurisdiction may be legally obliged to obey instructions from their government and that this foreign government is not bound by commercial contracts made by providers with organizations outside of that jurisdiction. This risk is highlighted by the Schrems II judgment.
The European Data Protection Board recommendations identify three points at which the privacy of data can be compromised – during transfer, at rest in storage, and while being processed. The recommendations cover contractual tools such including standard data protection clauses (SCCs), binding corporate rules (BCRs), codes of conduct, certification mechanisms, and ad hoc contractual clauses. The EDPB also provided an updated Joint Opinion 1/2021 on standard contractual clauses between controllers and processors. In addition, the EDPB recommendations require supplementary technical measures and describe three approaches for which example use cases are provided. These technical steps include encryption, pseudonymization and multi-party computing.
Four Key areas of Sovereignty
There are four key areas of sovereignty which should be considered. These are data sovereignty, operational sovereignty, technical sovereignty, and sovereign ownership.
Data sovereignty – the customer should have control over the access to and the use of their data. This is what the technical measures from the EDPB are intended to enforce. Since many data processing regulations specify this, the customer should also have control over the physical location of their data and administrative access by cloud service administrators. With the exception of the location of administrators, data sovereignty is supported by all the major IaaS providers although not all customers make full use of the controls provided.
Operational sovereignty – this is control over the jurisdiction where the administration of the service and its infrastructure is conducted. The EDPB technical measures are intended to mitigate that lack of this control. The major CSPs now offer a form of “cloud in a box” which the customer can locate and administer wherever they wish. Other clouds are working to enable third party administration through partnerships with managed service providers in certain regions. The major hardware manufacturers also provide a partial solution offering hardware as a service where the customer rents capacity in dedicated servers that are located where the customer chooses.
Technical Sovereignty – the customer is able to develop, deploy, move, and manage their workloads with the minimum of disruption. While there is significant openness in application development environments, the major hyperscale clouds are built on proprietary technical stacks and this makes it hard to move a workload to another cloud. It also makes it hard to manage the hybrid multi-cloud and on-premises IT environment that is now common in most organizations. There is a need for standard interfaces that customers can use to build, deploy, manage, and optimize their workloads independently of the cloud service used. This is still work in progress with VMware, OpenStack, Anthos, RedHat OpenShift all offering some level of solution to some of the problems.
Sovereign Ownership – the infrastructure used to provide the cloud service is normally owned by the CSP. This means that even if it is located in a given geography its use could be withdrawn by the CSP in the event of geopolitical conflict. Even if it were to be seized by a government the knowledge and external infrastructure required would make it difficult to make it operational.
Most of the discussion around the sovereign cloud has focussed on data sovereignty and, while this is important, there are other areas that need to be considered to provide a fully sovereign cloud. For most organizations, the major driver for sovereignty is the need for compliance. In this respect, all the major CSPs provide or support substantial technical and contractual controls. However, the technical controls available are not always fully exploited by cloud customers. Recently announced partnerships which enable allow a local service provider to deliver a version of a global service provide a solution to some of the operational sovereignty concerns. However, it remains to be seen whether these will actually work out in practice. Where full sovereignty is required, there are other factors that need to be considered. The trade-off between functionality, cost and all the four aspects of sovereignty is one that organizations need to consider when deciding on how to deploy their applications.
Attend Cybersecurity Leadership Summit in November for more insights into the security of cloud services.