Anyone in Germany thinking about a cloud transformation can’t avoid the sovereign cloud. But what does sovereignty actually mean and why is it so important?
European companies need the public cloud for growth, but they also need to ensure it complies with legal requirements whereas sovereign clouds combine data, software, and commercial sovereignty, so companies can act independently. In this way, sovereign clouds are paving the way for independent sustainability in the use of available resources.
The topic of when the internet actually came about is controversial. But the fact of the matter is that in 2022, 93% of Germans and around 5.3 billion people worldwide were already “connected” on the internet – and numbers continue to rise. According to estimates, the data volume generated annually will already reach 181 zettabytes by 2025. At first, even experts considered the internet to be a niche application with only a few use cases; today, it forms an integral part of day-to-day life at work and at home for most people.
The digital mindset has completely captured Germany. From paying at the grocery store to regulatory affairs, spurred on through the constraints of the coronavirus pandemic, there is now a demand for flexibility, speed, and reliability. A considerable driver of this development is the cloud, which is using the internet to continually provide new solutions for eCommerce, autonomous driving, artificial intelligence, and the Internet of Things. But what happens with all of the data and who has access to it?
The wild salad days when business decision-makers discussed whether their company should “go online” is ancient history. Internet activities are a convention of modern companies of all sizes. It is perfectly understandable that they are constantly discussing how they can profit from using the internet and its technological children, like the cloud, by creating new business models and technical innovations. Alongside the search for increased efficiency and new market opportunities, sustainability is also becoming an increasingly central topic. Companies and users today know that (almost) anything is possible with the internet. This is why they are looking for solutions that also fulfill their ethical, data-protection, and resource-saving requirements, and rightfully demand these with confidence.
Digitalization is about more than just technical discussions. As technical possibilities always raise the same questions: What are we allowed to do? Which data are we allowed to process under which conditions? Can we leverage the technical possibilities so that they bring us forward and also have a positive influence on society? These are the questions that will have a different answer in different cultures and in different jurisdictions. Although digitalization seems so easy, it does not exist in a legal vacuum.
European companies need to find ways to leverage the (competition-related) potentials of digitalization, whilst also satisfying the applicable regulations in their jurisdiction. This includes the handling of confidential third-party data, for example within the scope of EU GDPR (European data protection regulations), but also the protection of internal company data in collaborative value creation networks (i.e., the protection of “intellectual property”). Digitalization reassesses the question of trust – including towards the platforms implemented for digitalization, especially cloud solutions.
Many companies are hoping that sovereignty approaches will provide an upsurge in innovation. They expect sovereign clouds to cater to the demands of agility and innovation potential in the cloud environment, compliance with current regulations, the possibility of having an independent influence on ethical and ecological factors, data protection security, full control of their data, and compliance with legal requirements. Users also expect a high level of reliability, transparency, and interoperability. Fulfilling these expectations reassures users that they will have control and flexibility with regard to their data and the operation of their cloud services.
But what does digital sovereignty actually mean? For now, it is just a buzzword – just like the terms digitalization and cloud. Sovereignty is centered around a company’s business environment. It describes the comprehensive decision-making authority over how a company and its business develop. Business sovereignty must be mapped into digital sovereignty. This has at least three technical facets that are especially applicable to the use of a cloud solution.
Data sovereignty primarily includes full and sovereign control over access to data. The owners of the data must have certainty that their data cannot be manipulated, deleted, copied, or viewed in the cloud or a data center by unauthorized parties (this includes the cloud operator). The current best route to data sovereignty includes two fundamental elements: the storage and processing of data in an authorized jurisdiction and the use of encryption. It is best to use external encryption for this – encryption management for this must take place outside of the provider cloud and be managed externally as well.
The core principle of the sovereign cloud is to protect customers from dependency. A key aspect of this is the ability to migrate applications anytime onto other IT infrastructures, including an internal infrastructure. This is one of the guidelines from the German Federal Financial Supervisory Authority for the exit strategy of a finance company. Let’s say a company wants to transfer its data from the external cloud onto its own server to retain complete control and flexibility. Or: a company migrates its data from a conventional cloud to a more sustainable server solution to encourage the use of renewable energies. With software sovereignty, companies are free to choose their applications. Because of this, their use cases can be operated independently of specific infrastructures. This means effective prevention of vendor lock-in. The open-source approach plays a significant role in this open and transparent route.
What happens when cloud service providers decide to build in back doors? When they do not offer certain security settings or decide to simply shut down their cloud platform or stop offering it in the relevant jurisdiction? Blind faith cannot be enough for companies here. The cloud user needs a guarantee that the cloud operator/provider will develop the environment in a way that ensures the platform development itself does not undermine the principle of sovereignty. This means that the platform remains future-proof and provides full performance, while also preventing unauthorized parties from accessing the original functions of the platform.
Companies require control levers and planning security. They need a guarantee that the IT infrastructure as a whole (beyond the data processing) will behave as though it were an in-house resource or under sufficient in-house control. They must also have guarantees that they can continue to operate their workloads, even if the cloud platform were to disappear. A cloud application with minimum dependence on the cloud. The combination of transparency and control of processes in the cloud infrastructure and future-proofing or independence is what characterizes a truly sovereign cloud.
For this, the sovereign cloud must implement a consistent zero trust model. Encryption processes and administrative access must be 100% transparent, and possible for clients to audit. The same applies to changes in security configurations. Only admins from authorized jurisdictions are allowed to access the cloud resources. The sovereign cloud must also be conceived as an open platform. Workloads must be allowed to be consistently orchestrated across multi-cloud landscapes – and thus moved away from the sovereign cloud to other platforms at any time.
With all this in mind, it should not be forgotten that the sovereign cloud will not be a one-size-fits-all approach. Business reality will be the hybrid cloud. And sovereign clouds will be a part of this business reality wherever companies want to ensure they are complying with all necessary regulations in their agile business projects. They are also necessary wherever a high level of security is required, such as secure sharing of internal data in value-creation networks. In other words: there is no reason not to operate an online shop in a public cloud.