17. Sovereignty Part 1/4 - What is sovereignty and why it can be the next big trend in cloud computing?
While I worked at Google during the publishing of this post / video. The views expressed here are my own and may not reflect those of my employer. Only publicly available material is used to put together the content of this article.
💡 This is part 1 of the (4 part) sovereignty series. Here are the other posts -
- ▶ What is sovereignty and why it can be the next big trend in cloud computing?
- Encryption to power data sovereignty on Google Cloud (Demo GCP EKM + KAJ and Confidential computing)
- Practical sovereignty - Sovereign solutions on Public Cloud
- Setting up sovereignty demo on GCP - Google cloud EKM + Confidential Computing + Ubiquitous Data Encryption/UDE + Thales CKM
Many years ago, my job involved convincing customers to move their workloads to the cloud (with shiny demos of course!). Today however, the promises of the cloud - the speed, agility, no capex, quick to market - are well understood by most.
But there’s a new challenge on the horizon.
What and Why?
We are living in an era of international conflicts, regulations, polarization, distrust and hyper awareness of “data is the new oil” phenomenon. Countries through regulations are increasingly pushing organizations towards having complete operational control of their data and computing resources within the well-defined boundaries of a continent, country or a region.
But is the concern actually real?
Imagine the biggest couple of banks, utility services from your country (search “Too Big To Fail banks” in your country) with their workloads and data on the cloud.
They can be left inoperable for various reasons - some listed below
- They operate their computing resources and store their data in a foreign cloud region (x) - and now x country is hostile to your country.
- Sanctions forcing cloud provider to drop these banks at a short notice
- These foreign datacenters are attacked by host country’s enemy or fall prey to local unrests
This is not just true for banks but for any organization that is part of the critical infrastructure (e.g. communications, energy, healthcare, transportation systems etc.) of a country.
And these companies failing to operate, can have devastating impacts on your country leading to complete breakdown of the order.
Moreover - computing resources and data held outside of the boundaries can be snooped upon by the host country which can have far reaching consequences.
So it is natural for many countries to bring in regulations that aim for better control over the computing environments of critical/too big to fail companies.
In fact, even without such regulations many large organizations may have to exercise such control due to their own or their customers' security posture policies
The reason why we have highlighted the word control so much in the text so far is because -
sovereignty = being in (complete) control of
So having sovereignty on cloud would mean having reasonable control of computing resources and data to eliminate / minimize consequences due to the issues listed above.
Types of sovereignty and sovereign controls
Current regulations/ expectations of sovereignty aim at the following components of sovereignty (also known as sovereignty controls)
- Where is the data stored / where computing resources operate (control - data residency)
- Who has access to the data during normal operation of an application / product and when it is being supported (control - personnel access)
- How can such data be protected against access from foreign governments and their regulations (like US Cloud Act) by various means like encryption (control - customer controlled encryption)
Now before we look at how these sovereign controls can be applied on the cloud & current solutions devised by various cloud providers. Let’s look at types of sovereignty
- Data sovereignty
- Operational sovereignty
- Software sovereignty
Data sovereignty refers to the ability of an organization to keep the data and compute resources within the boundaries of a particular country and having complete protection from third party data requests including those from local and foreign legal entities and governments. Data and access to data are governed by the local law.
Operational sovereignty refers to the ability of an organization to be able to (reasonably) independently operate their IT infrastructure with strong & uninterrupted business continuity guarantees.
On cloud operational sovereignty also involves operational transparency which assures that cloud provider employees, vendors cannot compromise customer workloads.
Generally, on cloud following form the basis of operational sovereignty
- Restricting resources and data to regions where the customer’s country has jurisdiction and
- Providing audit logs from customer data access by cloud provider’s employees
Software sovereignty refers to a software supply chain that is not susceptible to being discontinued or compromised due to any external factors (wars, sanctions, cyber-attacks etc.). Achieving this would also involve customers not using proprietary software and rely more on open source alternatives and having robust software delivery mechanisms.
Complete operational sovereignty requires the customers to use their own data centers and complete software sovereignty is equally difficult to attain as at its extreme, an organization should actually use only inhouse software - which is impractical in the real world.
Current solutions across (big 3) cloud providers
Different cloud providers have approached sovereignty differently. There is no single solution on any provider that can provide all of operational, software and data sovereignty to their fullest extents.
The solutions can be categorized as below. Also, their relative score on sovereignty vs ease of operating / innovation is shown.
Having separate regions (like Azure & AWS Government Cloud and Google supervised cloud)
📈 Sovereignty 🟩🟩🟩🟩🟩, Innovation/Operability 🟩🟩🟩
📈 Sovereignty 🟩🟩🟩🟩🟩🟩, Innovation/Operability 🟩🟩🟩
📈 Sovereignty 🟩🟩🟩🟩, Innovation/Operability 🟩🟩🟩🟩🟩
(We delve more into these solutions and use these scores in part 3 of this series)
The choice of the solution is largely driven by following factors
- Regulations that need to be complied with
- Amount and type of sovereignty expected from the solution
- Acceptable tradeoff between innovation, ease of operation and enforcement of controls
In the upcoming posts we are going to see how various cloud providers (predominantly Google Cloud) implement some of the sovereign controls (data residency, personnel access and encryption) mentioned earlier to provide their customers with ability to create sovereign solutions.
Sneak peek at a data sovereignty implementation
In recent news
There have been a lot of news regarding sovereignty and also cloud providers rushing to add sovereign solutions in their portfolio.
Here are few notable recent sovereignty news articles before we conclude this part of our Sovereignty Series.
- Google Cloud fleshes out sovereign cloud capabilities for European enterprises
- Microsoft launches its Cloud for Sovereignty
- AWS announces Digital Sovereignty Pledge
- An update on Google Cloud’s commitments to E.U. businesses in light of the new E.U.-U.S. data transfer framework
- HTX and Microsoft announce strategic agreement to develop Singapore’s first sovereign cloud
- Thales Introduces S3ns In Partnership With Google Cloud And Unveils Its Offering In A First Step Towards The French Trusted Cloud Label
- Pentagon splits giant cloud contract among Amazon, Microsoft, Google, and Oracle
The expectation and need of applying sovereign controls (data residency, personnel access, encryption etc.) to cloud based workloads is growing and is here to stay. Barring a few types of workloads (gaming, streaming etc.) - most workloads will have to be “regulated” eventually.
And for the cloud architects - achieving required level of sovereignty by integrating the available - explicit and not so explicit solutions will become increasingly more important.
Thank you for reading through, Please like 👍, share 🔗 and comment ✍ if you found it useful.
Further reading / listening
- 🎧 Assured Workloads with Key Access Justifications with Bryce Buffaloe and Seth Denney
- Advancing digital sovereignty on Europe’s terms
- Microsoft Cloud for Sovereignty: The most flexible and comprehensive solution for digital sovereignty
- Introducing Assured Workloads in Canada and Australia, and new features for all
- A portfolio strategy for public sector cloud
- Data Sovereignty and Cloud Computing
- Youtube Video - Cloud Storage Data Security and Sovereignty
- AWS Admits to Being Far Behind Google, Microsoft in Sovereign Cloud (according to me - this one is a bit overly critical)
- https://cloud.google.com/blog/products/identity-security/how-google-cloud-is-addressing-data-sovereignty-in-europe-2020 (Refer for sovereignty types)