Digital sovereignty is a top priority for industries navigating compliance and regulations. As critical enablers of modern business, cloud platforms must align with sovereignty requirements. Sovereign clouds are becoming essential, driving digital transformation. To address this need, AWS is empowering partners with the expertise to deliver sovereignty-focused solutions.
The customers‘ perspective in the European Union (EU) on sovereign cloud is quite clear: They want to have full cloud capabilities on the one hand, and sovereignty on the other. However, the meaning of sovereignty can vary widely. For some organizations, it‘s about autonomy, independence from providers, reliability, and transparency; for others, it‘s about organizational and technical features for security to fulfill compliance demands or, simply, data sovereignty. Thus, often encryption is praised as some sort of panacea for sovereignty. The sure thing is: In the era of artificial intelligence (AI), sovereignty gains additional importance.
Different approaches to cater to these different sovereignty needs of users in Europe could be observed in the past. On the platform side, they ranged from the building of own (in-house) clouds, using private clouds, creating national, regional, or community clouds up to specific operation scenarios, including hyperscalers. These approaches were accompanied by “small” limited sovereign solutions for specific use cases and these were available as add-ons to the huge hyperscaler offerings.
Two examples from T-Systems are Data Protection as a Service (DPaaS) and External Key Management (EKM). With DPaaS, T-Systems launched an offering that adds sovereignty elements to the AWS portfolio. The packaged solution is a combination of four components: Firstly, a trusted landing zone based on a well-architected framework with a number of essential security mechanisms for prevention and detection. These include least privilege access and security controls such as identity & authentication management, service control policies, GuardDuty, and threat and incident detection.
The second component is auditable proof of data residency in the European Economic Area, guaranteeing that data is only stored according to the GDPR. Data confidentiality, the third piece, is covered with data encryption during storage, transmission, and – optionally – during processing as well through EKM. The latter is operated in a T-Systems data center (outside of AWS). The fourth element of DPaaS: T-Systems’ support team is based in Europe only.
With DPaaS and its components, T-Systems was able to create sovereign solutions for its customers. One example is a European automotive OEM using AWS. The company was looking for a key management solution that could be deployed independently of AWS – provided and managed by a local trusted vendor. T-Systems successfully brought in its EKM. It runs in T-Systems’ own data centers in the EU and uses the AWS KMS (Key Management Service) external key store capability. This enabled the customer to incorporate its own encryption keys that remain solely under its control during the encryption/decryption process without the complexity of operating its own external key infrastructure.
A manufacturing company wanted to move its mission-critical and sensitive applications to AWS and required a redesign of its existing legacy landing zone solution with a focus on digital sovereignty. There were three demands:
In preparation for the migration to the AWS cloud, the T-Systems team mapped the digital sovereignty requirements to the technical building blocks. As a basic governance structure, they implemented a new secure landing zone on top of the AWS Control Tower, ensuring all-round encryption. Transaction logs were centrally collected via Amazon CloudTrail and integrated into T-Systems’ SIEM tools and processes. AWS service control policies and AWS Config rules as well as data residency rules were implemented and integrated into the AWS Security Hub. Amazon GuardDuty was enabled for threat detection.
Console access was provided through single sign-on (SSO) integration with the company’s Active Directory. Account users bear the responsibility to tag the created S3 buckets accordingly with data protection class tags and the encryption/access policy is set automatically. All services and policies combined created an environment that helped the manufacturer to create the required level of sovereignty.
A third example is Toll4Europe, one of the leading providers in the European Electronic Toll Service (EETS). Toll4Europe wanted to migrate almost 100 mission-critical applications plus 15 databases, from its own data centers to AWS. As a prerequisite for this transformational journey, it was looking for a trusted partner solution to ensure data sovereignty at all times, as required by its end-customers. Toll4Europe had to reconcile both general and country-specific IT security requirements driven by (national) toll chargers such as ISO27001, BSI (Federal Office for Information Security), ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), into one common platform.
A Trusted Cloud Landing Zone solution provided out-of-the-box sovereignty guardrails, as well as logging, monitoring, and alarming of AWS management events via AWS CloudTrail and Amazon CloudWatch. On top, it was validated by the Privacy and Security Assessment (PSA) process of Deutsche Telekom AG and integrated with T-Systems’ DevSecOps and SRE processes for support and incident handling. Only EU personnel are supporting Toll4Europe’s operations.
The confidentiality of data in the AWS cloud was achieved using appropriate cryptographic processes leveraging AWS KMS. AWS config rules and AWS service control policies ensure that all data in transit and at rest is encrypted. On top, proven technologies from F5, Cisco, and Palo Alto were used on the network level. T-Systems implemented AWS service control policies as well as AWS config rules to restrict the use of AWS regions to prevent data being stored and processed outside the EU. A dedicated organizational structure has been established and is centrally managed using AWS Control Tower and AWS Organizations.
On December 4, AWS announced a new competency for digital sovereignty at re:Invent. T-Systems was among the first service providers to receive the competency. In the months prior to this announcement, AWS examined the capabilities of the providers in a profound assessment before awarding the competency. It perfectly fits the strategic initiative of T-Systems to become one of the most recognized providers of sovereign services for the European market. T-Systems is already ranked a European leader for sovereign cloud infrastructures according to analyst house ISG in 2023 and 2024. The new AWS competency strengthens T-Systems' sovereign capabilities and sets the stage for driving innovation across the EU.
