Old businessman holds phone fixed to a cloud-shaped balloon

In search of sovereignty

The last few years have strengthened the digital mindset in Germany. Now the focus is on the cloud. But how can companies use it independently?

05 July 2023Moritz Nowitzki

What is a sovereign cloud for?

Anyone in Germany considering a cloud transformation can’t avoid the sovereign cloud. But what does sovereignty actually mean and why is it so important?

European companies need the public cloud for growth, but they also need to ensure it complies with legal requirements, whereas sovereign clouds combine data, software, and commercial sovereignty, so companies can act independently. In this way, sovereign clouds are paving the way for independent sustainability in the use of available resources.

From niches to everyday experiences – Germany is digital

Man wearing headset sits with a laptop on the sofa

The topic of when the Internet actually came about is controversial. But the fact of the matter is that in 2022, 93% of Germans and around 5.3 billion people worldwide were already “connected” on the Internet – and numbers continue to rise. According to estimates, the data volume generated annually will already reach 181 zettabytes by 2025. At first, even experts considered the Internet to be a niche application with only a few use cases; today, it forms an integral part of day-to-day life for most people at work and at home.

The digital mindset has completely captured Germany. From paying at the grocery store to regulatory affairs, spurred on through the constraints of the coronavirus pandemic, there is now a demand for flexibility, speed, and reliability.  A considerable driver of this development is the cloud, which is using the Internet to continually provide new solutions for eCommerce, autonomous driving, artificial intelligence, and the Internet of Things. But what happens with all of the data and who has access to it?

A new view of digitalisation

The wild salad days when business decision-makers discussed whether their company should “go online” is ancient history. Internet activities are a convention of modern companies of all sizes. It is perfectly understandable that they are constantly discussing how they can profit from using the Internet and its technological children, like the cloud, by creating new business models and technical innovations. Alongside the search for increased efficiency and new market opportunities, sustainability is also becoming an increasingly central topic. Companies and users today know that (almost) anything is possible with the Internet. This is why they are looking for solutions that also fulfill their ethical, data-protection, and resource-saving requirements, and rightfully demand these with confidence.

What is allowed when it comes to digitalisation?

Digitalisation is about more than just technical discussions, because technical possibilities always raise the same questions. What are we allowed to do? Which data are we allowed to process under which conditions? Can we leverage the technical possibilities so that they bring us forward and also have a positive influence on society? These are the questions that will have a different answer in different cultures and in different jurisdictions. Although digitalisation seems so easy, it does not exist in a legal vacuum.

Combining digitalisation potential with compliance

European companies need to find ways to leverage the (competition-related) potential of digitalisation, whilst also satisfying the applicable regulations in their jurisdictions. This includes the handling of confidential third-party data, for example within the scope of EU GDPR (European data protection regulations), but also the protection of internal company data in collaborative value creation networks (i.e., the protection of “intellectual property”). Digitalisation leads to the reassessment of the question of trust – including towards the platforms implemented for digitalisation, especially cloud solutions.

Expectations of sovereign clouds

Many companies are hoping that sovereignty concepts will provide an upsurge in innovation. They expect sovereign clouds to cater for the demands of agility and innovation potential in the cloud environment, compliance with current regulations, the possibility of having an independent influence on ethical and ecological factors, data protection security, full control of their data, and compliance with legal requirements. Users also expect a high level of reliability, transparency, and interoperability. Fulfilling these expectations reassures users that they will have control and flexibility with regard to their data and the operation of their cloud services.

What is digital sovereignty?

But what does digital sovereignty actually mean? For now, it is just a buzzword – just like the terms digitalisation and cloud. Sovereignty is centered around a company’s business environment. It describes the comprehensive decision-making authority over how a company and its business is to develop. Business sovereignty must be mapped into digital sovereignty. This has at least three technical facets that are especially applicable to the use of a cloud solution.

The first component: data sovereignty

Data sovereignty primarily includes full and sovereign control over access to data. The owners of the data must have certainty that their data cannot be manipulated, deleted, copied, or viewed in the cloud or a data centre by unauthorised parties (this includes the cloud operator). The current best route to data sovereignty includes two fundamental elements: the storage and processing of data in an authorised jurisdiction and the use of encryption. It is best to use external encryption for this – encryption management for this must take place outside of the provider cloud and also be managed externally.

The second component: software sovereignty

The core principle of the sovereign cloud is to protect customers from dependency. A key aspect of this is the ability to migrate applications at any time onto other IT infrastructures, including an internal infrastructure. This is one of the guidelines from the German Federal Financial Supervisory Authority for the exit strategy of a finance company. Let’s say a company wants to transfer its data from the external cloud onto its own server to retain complete control and flexibility. Or a company migrates its data from a conventional cloud to a more sustainable server solution to encourage the use of renewable energies. With software sovereignty, companies are free to choose their applications. Because of this, their use cases can be operated independently of specific infrastructures. This means the effective prevention of vendor lock-in. The open-source approach plays a significant role in this open and transparent route.

The third component: commercial or operational sovereignty

What happens when cloud service providers decide to build in back doors? When they do not offer certain security settings or decide to simply shut down their cloud platform or stop offering it in the relevant jurisdiction? Blind faith cannot be enough for companies in this situation. The cloud user needs a guarantee that the cloud operator/provider will develop the environment in a way that ensures the platform development itself does not undermine the principle of sovereignty. This means that the platform remains future-proof and provides full performance, while also preventing unauthorised parties from accessing the original functions of the platform.

Sovereign cloud: controls and planning security

Companies require control levers and planning security. They need a guarantee that the IT infrastructure as a whole (over and beyond data processing) will behave as though it were an in-house resource or under sufficient in-house control. They must also have guarantees that they can continue to operate their workloads, even if the cloud platform were to disappear. A cloud application with minimum dependence on the cloud. The combination of transparency and control of processes in the cloud infrastructure and future-proofing or independence are what characterise a truly sovereign cloud.

Can the sovereign cloud provide zero trust security?

For this, the sovereign cloud must implement a consistent zero trust model. Encryption processes and administrative access must be 100% transparent, and possible for clients to audit. The same applies to changes in security configurations. Only admins from authorised jurisdictions are allowed to access the cloud resources. The sovereign cloud must also be designed as an open platform. Workloads must be allowed to be consistently orchestrated across multi-cloud landscapes – and thus moved away from the sovereign cloud to other platforms at any time.

Sovereign cloud as part of the hybrid-cloud world

With all this in mind, it should not be forgotten that the sovereign cloud will not be a one-size-fits-all approach. Business reality will be the hybrid cloud. And sovereign clouds will be a part of this business reality wherever companies want to ensure they are complying with all necessary regulations in their agile business projects. They are also necessary wherever a high level of security is required, such as the secure sharing of internal data in value-creation networks. In other words: there is no reason not to operate an online shop in a public cloud.

About the author
Moritz Nowitzki

Moritz Nowitzki

Head of Portfolio Management & Strategy, T-Systems International GmbH

Show profile and articles
Do you visit t-systems.com outside of Singapore? Visit the local website for more information and offers for your country.