With the discussion surrounding sovereign clouds, GAIA-X has added an item to the agenda which is a burning issue for European companies. But why? And what does sovereignty mean?
Of course, it is debatable when the Internet was born. In 1969 with the Arpanet? Or perhaps more likely in 1974, when Vint Cerf and Robert Kahn released the Internet protocol TCP/IP? Or even more likely in 1989 when Tim Berners-Lee shared his idea for the World Wide Web at CERN? The fact is that in 2021, just under five billion people were “connected” via the internet. What an amazing success story! The Internet revolution has changed the world like virtually no other technical advancement. And it continues to change things. The Internet – a story of limitless digital possibilities. It is also the foundation for subjects and solutions like e-commerce, connected cars, artificial intelligence and Internet of things.
The wild salad days when business decision-makers discussed whether their company should “go online” is ancient history. The Internet and digital technologies have made the world smaller, brought markets closer together and digitally disseminated knowledge and information (also false information) at an ever-greater speed. Internet activities are a convention of modern companies of all sizes. More and more companies are also discussing the potentials the internet and its technological offspring, such as the cloud, offer for their own value creation – this discussion is the core of what we call digitalization.
After all, digitalization is not just a technical discussion. Its technical possibilities, time and time again, lead to questions such as: What are we allowed to do? Which data are we allowed to process under which conditions? Can we exhaust the technical possibilities? This is a question which will have a different answer in different cultures and in different jurisdictions. Although digitalization seems so easy, it does not exist in a legal vacuum. On the same note, it also throws up moral issues.
European companies need to find ways to exploit the (competition-related) potentials of digitalization while at the same time satisfying the applicable regulations in their jurisdiction. This includes the handling of confidential third-party data, for example within the scope of EU GDPR (data protection regulations) but also the protection of company internal data in collaborative value creation networks, that is, the protection of “intellectual property”. Digitalization reassesses the question of trust – including that towards the platforms implemented for digitalization, in particular the cloud solutions.
Europe has formulated a clear expectation of GAIA-X: Individuals, but also companies and public authorities want to have full control over their data in cloud infrastructures – both with regard to their use and the implementation of services. Many companies are hoping that sovereignty approaches will provide an upsurge in innovation. They are expecting sovereign clouds to give them the best of both worlds: the agility and the innovative potential of a cloud environment plus compliance with the applicable regulations.
But what is actually behind digital sovereignty? For now, it is just a buzzword – just like Digitalization and Cloud. Sovereignty targets a company’s business environment. It is characterized by comprehensive decision-making authority over how one’s own business and the company are developing. Business sovereignty must be mapped into digital sovereignty. This has at least three technical facets, which particularly apply to the operation of a cloud solution – or conversely – that a sovereign cloud stack (SCS) must bring with it.
Data sovereignty primarily includes the full and sovereign control over access to data. The owners of the data must have certainty that their data cannot be manipulated, deleted, copied, or viewed in the cloud or data center by unauthorized parties (this includes the cloud operator). The current best route to data sovereignty consists of two fundamental elements: the storage and processing of data in an authorized jurisdiction and the use of encryption. It is best to use external encryption for this – encryption management for this must take place outside of the provider cloud.
The sovereign cloud must avoid its users becoming dependent. It must be easy to migrate applications and services onto a different platform at any time (for example in-house infrastructure). This is one of the guidelines from the German Federal Financial Supervisory Authority for the exit strategy of a finance company. Software sovereignty allows companies to freely choose the software that supports their business processes. This software can be operated independently of specific infrastructures. This means effective prevention of vendor lock-in. Open source leads the way.
What happens if the cloud provider decides to incorporate back doors, not offer certain security settings or simply switches off the cloud platform or no longer offers it in the relevant jurisdiction? Blind trust is not enough here. The cloud user needs a guarantee that the cloud operator/provider will develop the cloud environment so that the platform development itself does not undermine the sovereignty principle. The platform must be future-proofed. Access by unauthorized persons via original platform functions must likewise be prevented.
Companies require control levers and planning security. They need a guarantee that the IT infrastructure as a whole (beyond the data processing) will behave as though it were an in-house resource or under sufficient in-house control. They must also have guarantees that they can continue to operate their workloads, even if the cloud platform were to disappear. A cloud application with a minimum of dependence on the cloud. The combination of transparency and control of processes in the cloud infrastructure and future-proofing or independence is what characterizes a truly sovereign cloud.
For this, the sovereign cloud must implement a consistent zero trust model. Encryption processes and administrative access must be 100% transparent, and possible for clients to audit. The same applies to changes in security configurations. Only admins from the authorized jurisdictions are allowed to access the cloud resources. The sovereign cloud must also be conceived as an open platform. Workloads must be allowed to be consistently orchestrated across multi-cloud landscapes – and thus moved away from the Sovereign Cloud to other platforms at any time.
With all this in mind, it should not be forgotten that the sovereign cloud will not be a one-size-fits-all approach. The business reality will be the multi-cloud. Sovereign clouds will be part of this business reality – wherever companies want to be sure that they are complying with all necessary regulations in their agile business projects. They are also necessary anywhere where a high level of security is required, for example for secure parts of internet data in value creation networks. In other words: there is no reason to stop operating an online shop in a public cloud.