Many companies are hoping that sovereignty approaches will provide an upsurge in innovation. They expect sovereign clouds to cater to the demands of agility and innovation potential in the cloud environment, compliance with current regulations, the possibility of having an independent influence on ethical and ecological factors, data protection security, full control of their data, and compliance with legal requirements. Users also expect a high level of reliability, transparency, and interoperability. Fulfilling these expectations reassures users that they will have control and flexibility with regard to their data and the operation of their cloud services.
What is digital sovereignty?
But what does digital sovereignty actually mean? For now, it is just a buzzword – just like the terms digitalization and cloud. Sovereignty is centered around a company’s business environment. It describes the comprehensive decision-making authority over how a company and its business develop. Business sovereignty must be mapped into digital sovereignty. This has at least three technical facets that are especially applicable to the use of a cloud solution.
The first component: data sovereignty
Data sovereignty primarily includes full and sovereign control over access to data. The owners of the data must have certainty that their data cannot be manipulated, deleted, copied, or viewed in the cloud or a data center by unauthorized parties (this includes the cloud operator). The current best route to data sovereignty includes two fundamental elements: the storage and processing of data in an authorized jurisdiction and the use of encryption. It is best to use external encryption for this – encryption management for this must take place outside of the provider cloud and be managed externally as well.
The second component: software sovereignty
The core principle of the sovereign cloud is to protect customers from dependency. A key aspect of this is the ability to migrate applications anytime onto other IT infrastructures, including an internal infrastructure. This is one of the guidelines from the German Federal Financial Supervisory Authority for the exit strategy of a finance company. Let’s say a company wants to transfer its data from the external cloud onto its own server to retain complete control and flexibility. Or: a company migrates its data from a conventional cloud to a more sustainable server solution to encourage the use of renewable energies. With software sovereignty, companies are free to choose their applications. Because of this, their use cases can be operated independently of specific infrastructures. This means effective prevention of vendor lock-in. The open-source approach plays a significant role in this open and transparent route.
The third component: commercial or operational sovereignty
What happens when cloud service providers decide to build in back doors? When they do not offer certain security settings or decide to simply shut down their cloud platform or stop offering it in the relevant jurisdiction? Blind faith cannot be enough for companies here. The cloud user needs a guarantee that the cloud operator/provider will develop the environment in a way that ensures the platform development itself does not undermine the principle of sovereignty. This means that the platform remains future-proof and provides full performance, while also preventing unauthorized parties from accessing the original functions of the platform.
Sovereign cloud: controls and planning security
Companies require control levers and planning security. They need a guarantee that the IT infrastructure as a whole (beyond the data processing) will behave as though it were an in-house resource or under sufficient in-house control. They must also have guarantees that they can continue to operate their workloads, even if the cloud platform were to disappear. A cloud application with minimum dependence on the cloud. The combination of transparency and control of processes in the cloud infrastructure and future-proofing or independence is what characterizes a truly sovereign cloud.
Can the sovereign cloud provide zero trust security?
For this, the sovereign cloud must implement a consistent zero trust model. Encryption processes and administrative access must be 100% transparent, and possible for clients to audit. The same applies to changes in security configurations. Only admins from authorized jurisdictions are allowed to access the cloud resources. The sovereign cloud must also be conceived as an open platform. Workloads must be allowed to be consistently orchestrated across multi-cloud landscapes – and thus moved away from the sovereign cloud to other platforms at any time.
Sovereign cloud as part of the hybrid-cloud world
With all this in mind, it should not be forgotten that the sovereign cloud will not be a one-size-fits-all approach. Business reality will be the hybrid cloud. And sovereign clouds will be a part of this business reality wherever companies want to ensure they are complying with all necessary regulations in their agile business projects. They are also necessary wherever a high level of security is required, such as secure sharing of internal data in value-creation networks. In other words: there is no reason not to operate an online shop in a public cloud.