Will the Real Data Sovereign Cloud please stand up?
IT History Repeats Itself
When the concept of cloud computing was starting to gain the attention of CIOs in the early 2000s, many IT vendors could not resist using the term “cloud” when naming their offerings. Without a globally recognized definition, one could assume some were genuinely naïve, while others were simply strategically using then-popular terms to attract attention to their offerings. This confusing trend led to the National Institute of Standards and Technology (NIST) issuing a definition that is now widely recognized as being the minimum standard of an offering that wishes to fall under the banner of cloud computing.
It is difficult not to remember that experience when observing the rise of offerings in the market today that leverage the term “data sovereignty”. The huge growth of cloud computing and the distribution of data has created an unprecedented level of uncertainty around the classification of data and the jurisdiction of foreign governments. We speak to many customers who are not only grappling with those two uncertainties but also finding it challenging to assess the increasing number of cloud offerings in the market that claim to be “data sovereign”. Just like the infant stages of the cloud market, there is no globally recognized fit for all definitions of data sovereignty, – even though many cloud vendors are labeling their offerings as data sovereign in the same fashion as the term cloud was used in the early 2000s.
This article explains why customers must be proactive and diligent with the concept of data sovereignty as a one-size-fits-all definition (akin to the NIST definition for cloud) is unlikely to be issued due to the nature of the concept itself. The article does indeed point to the common denominators of widely used definitions, but its underlying proposition is that each source of data sovereignty requirements can and does come with its own nuances that make it unique. Therefore, customers must always begin their data sovereignty consideration phase of their multi-cloud journey with substantive analysis of their particular requirements under the applicable laws, guidelines, or policies, and then use the results of that analysis to proceed to evaluate whether the offerings they are considering are indeed “data sovereign” (as opposed to relying upon vendor labels).
Finally, this article explains why and how VMware’s Sovereign Cloud Initiative is an ecosystem that enables VMware Sovereign Cloud providers, who are third-party partners using VMware on-premises software, to build purpose-built hosted cloud offerings, offer alignment with applicable regional data sovereignty laws, policies and frameworks in a manner that provides customers with the technological dependability and robustness that any Cloud Smart multi-cloud strategy needs.
Definitions – “Data Sovereignty ” cannot, by nature, have the same definition globally
Simply put, and despite claims customers may hear and/or see in this infant market, the reality is that there is no one-size-fits-all definition to “data sovereignty”, and the true source of the definition to “data sovereignty” as applicable to any workload being contemplated is the legal, policy or guidelines applicable to that data that are prescribing it as a requirement. For example, a government customer who is planning to acquire cloud services for workloads related to their defence ministry/department would have different data sovereignty applicable legal, policy and guidelines than when the same government is acquiring the cloud services for their revenue ministry/department, and both of those would be different compared to when that same customer is acquiring cloud services for their parks/forestry ministry/department. Furthermore, a defence ministry of one government may have different requirements than the defence ministry of another government, and the single defence ministry may have different requirements for two different purchases depending on the workload they are considering. It is therefore understandable that a cloud offering can be compliant with the data sovereignty requirements for one customer workload, but not for another of the same customer.
In sum, the definition of data sovereignty varies from jurisdiction to jurisdiction, and from workload to workload, even within the same jurisdiction (depending on the applicable laws, policies, or guidelines that are prescribing it as a requirement). That being said, the common denominator amongst most definitions is that data must remain subject to the privacy laws and governance structures within the nation where the data is created or collected, and because the location of data is not, under many jurisdictions, a bar to foreign jurisdictions asserting control over the data, data sovereignty often requires that it remains under the control and/or management of entities and individuals who cannot be compelled by foreign governments to transfer the data to foreign governments (or, again depending on the requirements, certain foreign governments). As an example of a requirement that may be different, some, but not all, require that the cloud vendor employees who are supporting the underlying infrastructure hold citizenship and security clearance (i.e., data residency and jurisdictional control would not suffice).
The other important terms to define are as follows:
- Data Residency – The physical geographic location where customer data is stored and processed is restricted to a particular geography. Many customers and vendors confuse this concept with data sovereignty.
- Data privacy – Data privacy looks at the handling of data in compliance with data protection laws, regulations, and general privacy best practices.
- Jurisdictional control of data – A jurisdiction retains full control of data without other nations/jurisdictions being able to access, or request access, to that data.
- Data Governance – The process of managing the availability, usability, integrity, and security of the data in systems, based on internal data standards and policies that also control data usage.
- Global hyperscale commercial cloud – Foreign company-owned cloud infrastructure where data is held by a foreign Provider, and as a result may be subject to foreign laws.
How Cloud adoption, and its associated risks, brought “Data Sovereignty” into the spotlight
Cloud is a globalized technology providing accessible compute resources wherever you are in the world using a shared pool of resources that may be distributed across various regions. It is important to remember that your data is yours and always your legal responsibility. Running your data in the cloud or using someone else’s data center or IT infrastructure does not change the need to consider the various laws applicable to your company or to the company that owns and runs that data center and other supporting infrastructure. Some key considerations include understanding where jurisdictional control over the data lies, which relevant laws and jurisdictional take precedence, and what laws, regulations, and standards must you and/or the end customer adhere to.
The rising predominance of the global-based hyperscale commercial cloud housing a growing proportion of global data has further compounded the above-noted issues, including the key considerations of governance and jurisdiction. Do regional laws apply to such cloud computing solutions which, by their nature, are global and cross-region? Does this delivery model make regional laws ineffective? Your compute environment may start in the local region, but many other considerations may mean your data does not stay in that region. Data about data, or metadata, is used for support, accounting, and governance of your usage in the cloud and managing the operation of your data and workloads in those cloud environments, this could collect private data and hence be subject to regional laws. Operational support of some cloud environments could mean this data travels out of a designated region – and this data could include Personal Identification Information (PII) such as IP addresses, hostnames, etc, as well as certain security protocols. Also, your data could move out of the region through a disaster event, hence what entity has legal oversight on your data in that scenario? Your data may be hosted and managed by a cloud provider whose corporate entity is based in a foreign jurisdiction, which may claim legal precedence via jurisdictional control in the case of adjudication.
The assured integrity of your data is paramount. Access to your data in sovereign environments is often subject to high levels of data classification, autonomy, or control as secure or top-secret data is vital to the nation wherein the data is created and used. Even private clouds may be and often are, subject to, at some point, data traveling over public and/or shared networks, and more commonly today, private or dedicated on-premises clouds are a part of a hybrid cloud solution, of which some connection with a commercial/hyperscale public cloud could exist.
Sovereign cloud providers offer services and abide by standards for governance, security, and access restrictions, but the legal liability is ultimately with the customer. Liability of your data when extracted by bad actors, manipulated, altered, released without consent, or other mechanisms can result in complex lawsuits that we have all seen make international headlines. These issues are complex, like the technology behind the Cloud environments, and customers need to ensure that the multi-cloud strategy they deploy can be carefully operated and maintain compliance in all aspects necessary to their business.
Traditionally, many misunderstood data locality (or data residency) as the determining consideration of applicable laws applied to data. In many respects, this misunderstanding continues to plague the industry. Data residency is not the same as data sovereignty, – the latter provides a more robust approach to ensuring a clear prediction of applicable laws. Considering data mobility and data geographic locality, it is very hard to apply governance over data and keep a level of governance in place and active. Having a multi-territory footprint for the cloud, whilst often beneficial to businesses creates a lot of complexity in understanding which laws apply to your data and particularly which are superseded by other laws. This is a key question, which laws predominate and how can you protect your data from foreign access?
As an example of foreign legislation that may govern your data, the U.S. enacted the CLOUD ACT (Clarifying Lawful Overseas Use of Data) in 2018. The CLOUD Act, amongst other things, allows the U.S. government to enter executive agreements with foreign governments (of which the UK and Australia are the only regions currently) for reciprocal expedited access to electronic information held by providers based abroad, any restrictions to access the data must be removed. The CLOUD ACT, therefore, under certain conditions, imposes U.S. jurisdictional control on all data under the control of entities who are either US-based or have a nexus to the US, i.e. a global hyperscale organization, regardless of where the data in question resides in the globe. If the conditions of this law are met, the U.S. can adjudicate and enforce access to electronic data under the control of the U.S company regardless of where the company stores the data – meaning this also applies to data stored outside of the US. This Act, therefore, impacts data sovereignty for all non-U.S. regions.
This is an evolving situation and continues to change with the EU considering new requirements. For example, in June 2022, a draft version of the proposed EU cybersecurity agency (ENISA)’s “Cybersecurity Certification Scheme for Cloud Services” (EUCS), containing new sovereignty requirements, was released. These include, for “high” risk-level, measures to ensure certified cloud services are only operated by companies based in the EU and with a European shareholding majority, that these providers are not subject to extra-territorial laws from non-EU states, and all data must be stored and processed in the EU. Consequently, U.S. hyperscale providers would not be granted cybersecurity certificates for assurance level “high”. This is an example of how the situation for U.S. hyperscale providers is tenuous and rapidly changing in Europe, requiring further development and investment to meet the evolving legislation.
Does every cloud have a Sovereign lining?
Can all global cloud vendors not claim to be able to provide a Data Sovereign cloud solution to customers in non-U.S. nations? This is not an easy question to answer, as it depends on the customer’s specific requirements and the classification of the data. Given the explanation of the U.S. Cloud Act, as well as current forward-looking frameworks of cooperation, it seems that data is still able to flow upon judicial request, for example between the EU (under an executive agreement) and the U.S. So, the answer today is no, global cloud vendors and the data they hold would remain under U.S. jurisdictional control with the U.S. Cloud Act.
As the industry continues to evolve, there is an emergence of in-country domestic partnerships with hyperscale providers, to run, operate and govern their own instance of the public cloud environment. Whilst this provides in-country ‘hands and eyes’ operational control and a data residency in a data center located within the country, this type of ‘Supervised cloud’ has potential but will often have to abide by regional security strategies and will likely be differing by region. It would need to be tested in each applicable jurisdiction’s courts from a legal perspective to provide full assurance of its legal resiliency. It is also a considerable technical evolution as SaaS platforms, accounting, metering, support, and many other common cloud functions must be completely separated and run in isolation within the region. A supervised cloud model does provide authority over the physical location and the personnel running and operating the solution however, data sovereignty is also concerned with cloud data, cloud hardware, and cloud software criterion. The data running in these supervised clouds may still be run (including metering, fault analysis, reporting, metadata, and accounting) by a company under U.S. Cloud Act jurisdiction control, and therefore due consideration under application requirements must be given to that nuance as well. The current trending mitigation of this approach is the creation of a joint venture company whereby the national partner would need to own the controlling share of the operating company, also there would need to be considerable software analysis of the hyperscale code to validate controls and residency. This is an evolving model we expect to see more of over the coming years.
Every cloud has its place and importantly every cloud does not have a Sovereign lining. Today in our multi-cloud world, global hyperscale cloud providers can have their place in the sovereign market, but as an extension of a multi-cloud strategy, and today are and should be used to host only unclassified data. The ‘supervised’ Cloud model noted above, with the establishment of a joint company and majority control with the national partner does provide a compelling “Trusted” Cloud offering where the hyperscale cloud provider can offer their solution in a nationally controlled environment and jurisdiction, but as discussed, the success of these evolving models remains to be seen.
VMware Sovereign Cloud Initiative
VMware recognizes that regional cloud providers are in a great position to build on their own sovereign cloud capability and establish industry verticalized solutions aligned to differing data classification types and under their nation’s jurisdictional controls.
Data Classification is core to understanding where your data needs to reside and the protections that must be in place to safeguard and protect its ‘sovereignty’ with jurisdictional controls. The VMware Sovereign Cloud initiative has established a framework of trust scale, based on the classification of data which varies by vertical. Examples vary by industry and region, for example, official UK Government classifications such as Official, Secret, Top Secret, etc. Examples from the commercial sector can include Confidential, Internal Use, Public, Sensitive, and Highly Sensitive. The classifications that a Sovereign Cloud Provider chooses to include in the platform by default will depend on a combination of local jurisdictional norms and the type of customers the platform is intended to serve.
The principle for data classification and trust is that the Sovereign Cloud Provider security can be organized into different trust zones (architecturally called security domains). The higher the classification type, the more trustworthy and sovereign the offering, and the more unclassified the more risk mitigation and safeguards are required (such as encrypting your data, confidential computing, and privacy-enhancing computation). However, there are some hard stops, such as security stopping at the last most secure zone that is always within a sovereign nation and under Sovereign jurisdiction.
The placement of data must be based on the least trusted/sovereign dimension of service. Assessing your data classification requirements against the proposed services will result in understanding where the data can reside based on the necessary locations and available mitigations. This is an opportunity for VMware Sovereign Cloud partners to overlay solutions. By this, I mean that in many cases, a specific data classification can be placed on a particular platform (or security domain) if certain security controls are in place. E.g., Confidential Data can reside on Shared Sovereign Cloud infra if encrypted and the customer holds their own keys.
Using this risk and data classification analysis, VMware Sovereign Cloud Providers understand where their proposed Sovereign Cloud offerings sit on the scale, in relation to their other services such as public hyperscale cloud. They can then determine how to shift everything towards the most sovereign dimension of service as necessary using technology and process and enhance a customer’s Sovereign protection and cloud usage.
For the reasons noted above, VMware Sovereign Cloud providers, using VMware on-premises software, are in an ideal position to build compliant data sovereign hosted cloud offerings in alignment with data sovereignty laws, policies, and frameworks of their local or regional jurisdictions, – all in a model that is a more optimal approach to assuring jurisdictional control and data sovereignty.
My thanks to Ali Emandi for co-authoring this article.