On October 25th, 2023, AWS announced their intention to launch AWS European Sovereign Cloud. This is an important announcement which reflects the impact of EU GDPR regulation and the EU recent Schrems II judgement.
What was Announced
AWS European Sovereign Cloud will be a new, independent cloud for Europe that is designed to help public sector organizations and those in highly regulated industries meet the regulatory data residency and operational requirements. This cloud service will be located and operated within Europe. It will be physically and logically separate from existing AWS Regions, but AWS claims, will provide the same security, availability, and performance of existing AWS Regions. The AWS European Sovereign Cloud will launch with its first AWS Region in Germany and will be available to all European customers.
The Impact of Globalisation
Globalisation has provided many benefits allowing nation states and organizations to obtain what they need, when they need it from wherever it is cheapest. This has reduced the costs for citizens and businesses alike but has created an increased dependency on ever more extended supply chains. The COVID epidemic and subsequent supply chain disruptions have called this approach into question. The notion of the sovereign cloud needs to be seen in this context.
Cloud sovereignty involves several areas, these include but are not limited to the protection of personal data. It also includes the protection of intellectual property, commercial secrets, as well as other forms of sensitive information. It concerns the influence that service users have over the legal frameworks that bind the service through a say in government. Also, their confidence in service continuity not only in the event of natural disasters but also of geopolitical conflicts.
The Sovereign Cloud
The idea behind the sovereign cloud is to ensure that the services provided are within the control of the jurisdiction where it is used. This can be achieved in several ways through legal, and technical measures as well as physical location. Within Europe there are already several cloud services that are locally owned and delivered. However, these services find it hard to compete against the level of functionality provided by the global hyperscale cloud services and the economies of scale that they enjoy. Therefore, using purely local providers often involves increased costs and or reduced functionality.
Another approach is for state sponsored projects. However, these have a chequered history when it comes to innovation and, in any case, the richness of the existing hyperscale cloud services leaves an enormous gap to close. Therefore, quite sensibly, the European GAIAX project does not seek to replace the existing cloud services but rather to increase local control. Google, together with other hyperscale cloud providers, is a founding member of GAIAX.
Four Key areas of Sovereignty
There are four key areas of sovereignty and the announcement by AWS needs to be considered against all of these.
Data sovereignty – the customer should have control over the access to and the use of their data. This is what the technical measures from the EDPB (European Data Protection Board) are intended to enforce. Since many data processing regulations specify this, the customer should also have control over the physical location of their data and administrative access by cloud service administrators. With the exception of the location of administrators, data sovereignty is already supported by all the major IaaS providers although not all customers make full use of the controls provided.
Operational sovereignty – this is control over the jurisdiction where the administration of the service and its infrastructure is conducted. AWS have announced that the AWS European Sovereign Cloud infrastructure will be operated independently from existing AWS Regions. To assure independent operation of the AWS European Sovereign Cloud, only personnel who are EU residents, located in the EU, will have control of day-to-day operations, including access to data centers, technical support, and customer service. Access to customers’ data is further controlled through the AWS Nitro System which separates the control plane from the data plane and prevents operational access to customers’ data.
Technical Sovereignty – the customer can develop, deploy, move, and manage their workloads with a minimum of disruption. While there is significant openness in application development environments, the AWS cloud is built on a proprietary technical stack, and this makes it hard to move a workload to another cloud. It also makes it hard to manage the hybrid multi-cloud and on-premises IT environment that is now common in most organizations. There is a need for standard interfaces that customers can use to build, deploy, manage, and optimise their workloads independently of the cloud service used. This is still work in progress with VMware, OpenStack, Anthos, and RedHat OpenShift all offering some level of solution to some of the problems.
Sovereign Ownership – the infrastructure used to provide the cloud service is normally owned by the CSP. This means that even if it is located in a given geography its use could be withdrawn by the CSP in the event of geopolitical conflict. Even if it were to be seized by a government the knowledge and external infrastructure required would make it difficult to make it operational.
The AWS announcement today is a major step that will enable public service and regulated organizations in the EU benefit from the capabilities provided by the AWS Cloud Services. It further illustrates the bargaining power that the EU can exert on service providers from outside of the region. However, it does not mitigate the potential for technical lock in or the geopolitical risks associated with services owned outside of the EU Jurisdiction.
Attend cyberevolution in November for more insights into the security of cloud services.