In cloud network architecture, a sovereign cloud is a cloud computing environment designed to store the data and metadata of organizations exclusively on servers located within their country of origin, in compliance with local laws and regulations, in order to protect this data from foreign access.
A cloud becomes sovereign through the regular assessment of records that log access permissions and data movement within the network. If a cloud provider were to fail to meet the standards of these assessments, they may be held liable for any damages sustained through unauthorized access. Thus, sovereign cloud providers must commit to monitoring their data storage services to ensure they are compliant with local data privacy laws at all times.
The standards that define a sovereign cloud are often different internationally and depend on the regulatory laws imposed upon an organization by the government that oversees it. In some cases, organizations or individual users may be afforded the right to decide how their data is monitored and protected, whereas other governments may enforce stricter requirements.
Sovereign cloud methodology:
To protect critical data, a sovereign cloud will typically utilize an array of security measures, such as:
- Access control – A sovereign cloud guarantees sensitive data is protected from use and observation by third parties without the proper credentials.
- Compliance – A sovereign cloud guarantees sensitive data is stored and processed in ways that comply with the relevant government standards.
- Encryption – A sovereign cloud guarantees sensitive data is protected from unauthorized access in transit and storage through encryption.
- Monitoring – A sovereign cloud guarantees sensitive data is consistently monitored and audited to detect and remediate any breaches in security.
Why is Sovereign Cloud important?
The concept of the sovereign cloud has become a subject of debate among European and North American cloud providers since the CLOUD Act of 2018 was passed in the United States. CLOUD, short for ‘Clarifying Lawful Overseas Use of Data', imbues the U.S. government with the authority to demand access to data from companies that fall under its jurisdiction. As the majority of incumbent cloud service providers are headquartered in the United States, they are subject to this authority, but the CLOUD Act extends past American businesses and asserts this authority over foreign entities that operate within the U.S. or with the data of U.S. citizens.
Sovereign Cloud has gained popularity among European organizations seeking to take advantage of the relevant benefits of digitization while minimizing dependence on third parties and ensuring that they remain within relevant legal jurisdictions.
“Many companies anticipate a significant boost in innovation from sovereignty-based approaches. They expect Sovereign Clouds to encompass the following requirements: the agility and innovation potential of the cloud environment, compliance with applicable regulations, and the ability to autonomously influence ethical or ecological factors.” Said Moritz Nowitzki, Head of Portfolio Management & Strategy for Google Powerhouse at T-Systems International, in a blog post from the Cloud Security Alliance (CSA).
Who are the proprietors of Sovereign Cloud?
Companies including VMware, Oracle, and all offer sovereign cloud services compatible with their respective product lines. However, other companies have taken further steps to accommodate the sovereign cloud market. AWS has pledged to ensure that all Amazon cloud services are sovereign by design, alongside IBM, which has made adherence to global sovereignty standards the focus of IBM Cloud.
Read more of our cloud definitions here.