On September 8th, 2021 Google and T-Systems announced their intention to build and deliver sovereign cloud services for German enterprises, the public sector, and healthcare organizations. So, what are a sovereign cloud services and why does this announcement matter?
The sovereign cloud is seen as a solution to the risks that arise from the increasing dependence of organizations on cloud services that are owned by foreign entities and delivered from outside of the local jurisdictions. These risks include loss of critical services through geopolitical disputes, interception of data by foreign governments, privacy and theft of intellectual property, as well as lock-in to proprietary service interfaces.
Governments around the world have enacted laws and introduced regulations in an attempt to mitigate against these risks. In Europe, the EU GDPR (General Data Protections Regulation) is an example of this. The subsequent Schrems II judgement and European Data Protection Board recommendations highlight the need for technical controls as well as legal contracts covering data processed in foreign jurisdictions since governments are not bound by civil contracts.
The idea behind the sovereign cloud is to ensure that the services provided are within the control of the jurisdiction where it is used. This can be achieved in several ways. Within Europe there are some cloud services that are locally owned and delivered. However, these services find it hard to compete against the economies of scale enjoyed by the global hyperscale cloud services. Therefore, using purely local providers usually involves increased costs and or reduced functionality.
Another approach is for state sponsored projects. However, these have a chequered history when it comes to innovation and, in any case, the richness of the existing hyperscale cloud services leaves an enormous gap to close. Therefore, quite sensibly, the European GAIAX project does not seek to replace the existing cloud services but rather to increase local control. Google, together with other hyperscale cloud providers, is a founding member of GAIAX.
It is this context that the partnership between Google and T-Systems should be viewed. According to Google the object of this is to deliver a European Cloud on Europe’s terms. The core focus is on the DACH (German, Austrian and Swiss) markets covering enterprises, the public sector, and healthcare organizations.
Google and T-Systems Sovereign Cloud for Germany
Google and T-Systems have described the 3 areas of sovereignty that this offering will support. These are data sovereignty, operational sovereignty, and software sovereignty.
They describe data sovereignty as covering 9 areas. These include customer control over the location of their data, controls against unauthorized access such as encryption by default and customer control over encryption keys as well as visibility and control over administrative access by Google administrators. They extend to include a promise not to sell the customers’ data and not to use the customers’ AI models for any other purpose. Most of these areas are supported by all the major IaaS providers.
Operational sovereignty covers 6 areas. These include support for local administration in selected regions, customer control over and visibility of administrative access and data decryption and visibility of security and hardware configurations changes to the infrastructure. They extend to customer audit based on consolidated tamper evident logs, zero trust control over access and the ability to support third party administration. These are important differentiators.
Software sovereignty – this provides consistent orchestration and management of workloads across multi-clouds, private cloud to provide survivability, based on and compatible with Open Source and Opens Source APIs.
Google says that this will be achieved through the use of a common hardware and software stack for both the public and sovereign clouds. The sovereign cloud will be delivered through a trusted partner and include additional controls and sovereignty guarantees which will be operated by the partner.
In terms of implementation the plan is to deliver in phases. Phase 1 July 2022 – Encryption management, data localization, access control, open source. Phase 2 2023 – Identity Management, Audits & Comprehensive Trust Management. Phase 3 2024 – Fully operational sovereign controls, data access, monitoring, security, deployment, audit.
The DACH market has been slow to adopt cloud services because of fears such as unauthorized access to sensitive data as well as concerns over the legality of their use. These are increased due to the perceived difficulties of achieving security and compliance obligations. This is welcome as it appears to be a practical approach to resolving these challenges. It clearly addresses some of the operational control and data privacy issues. However, it is not clear how it would enable service continuity in the event of geopolitical dispute since the underlying service is ultimately controlled by Google. In addition, local partnership to deliver sovereign services has been unsuccessfully tried before by other providers.
IaaS Tenant Security Controls (kuppingercole.com)
Managing Access and Entitlements in Multi-Cloud Multi-Hybrid IT (kuppingercole.com)