17. Sovereignty Part 1/4 - What is sovereignty and why it can be the next big trend in cloud computing?

While I worked at Google during the publishing of this post / video, the views expressed here are my own and may not reflect those of my employer. Only publicly available material is used to put together the content of this article and video. The website and the Youtube videos are NOT monetized.


πŸ’‘ This is part 1 of the (4 part) sovereignty series. Here are the other posts -

  1. β–Ά What is sovereignty and why it can be the next big trend in cloud computing?
  2. Encryption to power data sovereignty on Google Cloud (Demo GCP EKM + KAJ and Confidential computing)
  3. Practical sovereignty - Sovereign solutions on Public Cloud
  4. Setting up sovereignty demo on GCP - Google cloud EKM + Confidential Computing + Ubiquitous Data Encryption/UDE + Thales CKM

Many years ago, my job involved convincing customers to move their workloads to the cloud (with shiny demos of course!). Today however, the promises of the cloud - the speed, agility, no capex, quick to market - are well understood by most.

But there’s a new challenge on the horizon.

What and Why?

We are living in an era of international conflicts, regulations, polarization, distrust and hyper awareness of “data is the new oil” phenomenon. Countries through regulations are increasingly pushing organizations towards having complete operational control of their data and computing resources within the well-defined boundaries of a continent, country or a region.

But is the concern actually real?

Imagine the biggest couple of banks, utility services from your country (search “Too Big To Fail banks” in your country) with their workloads and data on the cloud.

They can be left inoperable for various reasons - some listed below

  1. They operate their computing resources and store their data in a foreign cloud region (x) - and now x country is hostile to your country.
  2. Sanctions forcing cloud provider to drop these banks at a short notice
  3. These foreign datacenters are attacked by host country’s enemy or fall prey to local unrests

This is not just true for banks but for any organization that is part of the critical infrastructure (e.g. communications, energy, healthcare, transportation systems etc.) of a country.

And these companies failing to operate, can have devastating impacts on your country leading to complete breakdown of the order.

Moreover - computing resources and data held outside of the boundaries can be snooped upon by the host country which can have far reaching consequences.

So it is natural for many countries to bring in regulations that aim for better control over the computing environments of critical/too big to fail companies.

In fact, even without such regulations many large organizations may have to exercise such control due to their own or their customers' security posture policies

The reason why we have highlighted the word control so much in the text so far is because -

sovereignty = being in (complete) control of

So having sovereignty on cloud would mean having reasonable control of computing resources and data to eliminate / minimize consequences due to the issues listed above.

Types of sovereignty and sovereign controls

Current regulations/ expectations of sovereignty aim at the following components of sovereignty (also known as sovereignty controls)

  1. Where is the data stored / where computing resources operate (control - data residency)
  2. Who has access to the data during normal operation of an application / product and when it is being supported (control - personnel access)
  3. How can such data be protected against access from foreign governments and their regulations (like US Cloud Act) by various means like encryption (control - customer controlled encryption)

Now before we look at how these sovereign controls can be applied on the cloud & current solutions devised by various cloud providers. Let’s look at types of sovereignty

  1. Data sovereignty
  2. Operational sovereignty
  3. Software sovereignty

Data sovereignty refers to the ability of an organization to keep the data and compute resources within the boundaries of a particular country and having complete protection from third party data requests including those from local and foreign legal entities and governments. Data and access to data are governed by the local law.

Operational sovereignty refers to the ability of an organization to be able to (reasonably) independently operate their IT infrastructure with strong & uninterrupted business continuity guarantees.

On cloud operational sovereignty also involves operational transparency which assures that cloud provider employees, vendors cannot compromise customer workloads.

Generally, on cloud following form the basis of operational sovereignty

  1. Restricting resources and data to regions where the customer’s country has jurisdiction and
  2. Providing audit logs from customer data access by cloud provider’s employees

Software sovereignty refers to a software supply chain that is not susceptible to being discontinued or compromised due to any external factors (wars, sanctions, cyber-attacks etc.). Achieving this would also involve customers not using proprietary software and rely more on open source alternatives and having robust software delivery mechanisms.

Complete operational sovereignty requires the customers to use their own data centers and complete software sovereignty is equally difficult to attain as at its extreme, an organization should actually use only inhouse software - which is impractical in the real world.

This episode of the Google Cloud Security podcast explains how cranking the sovereignty dials to extreme can lead to a fully complaint but impractical solution.

Current solutions across (big 3) cloud providers

Different cloud providers have approached sovereignty differently. There is no single solution on any provider that can provide all of operational, software and data sovereignty to their fullest extents.

The solutions can be categorized as below. Also, their relative score on sovereignty vs ease of operating / innovation is shown.

  1. Having separate regions (like Azure & AWS Government Cloud and Google supervised cloud)

    πŸ“ˆ Sovereignty 🟩🟩🟩🟩🟩, Innovation/Operability 🟩🟩🟩

  2. Providing hosted cloud solutions (GCP - Google Distributed Cloud and AWS outposts)

    πŸ“ˆ Sovereignty 🟩🟩🟩🟩🟩🟩, Innovation/Operability 🟩🟩🟩

  3. Providing sovereign controls on public cloud (e.g. GCP - Assured workloads & partner managed sovereign offerings and Azure - Microsoft cloud for sovereignty)

    πŸ“ˆ Sovereignty 🟩🟩🟩🟩, Innovation/Operability 🟩🟩🟩🟩🟩

(We delve more into these solutions and use these scores in part 3 of this series)

The choice of the solution is largely driven by following factors

  1. Regulations that need to be complied with
  2. Amount and type of sovereignty expected from the solution
  3. Acceptable tradeoff between innovation, ease of operation and enforcement of controls

In the upcoming posts we are going to see how various cloud providers (predominantly Google Cloud) implement some of the sovereign controls (data residency, personnel access and encryption) mentioned earlier to provide their customers with ability to create sovereign solutions.

Sneak peek at a data sovereignty implementation

We are going to tackle data sovereignty on Google cloud in part 2 with a detailed video demo. But following quick video should pique your interest enough to go through this blog series.

In recent news

There have been a lot of news regarding sovereignty and also cloud providers rushing to add sovereign solutions in their portfolio.

Here are few notable recent sovereignty news articles before we conclude this part of our Sovereignty Series.

Conclusion

The expectation and need of applying sovereign controls (data residency, personnel access, encryption etc.) to cloud based workloads is growing and is here to stay. Barring a few types of workloads (gaming, streaming etc.) - most workloads will have to be “regulated” eventually.

And for the cloud architects - achieving required level of sovereignty by integrating the available - explicit and not so explicit solutions will become increasingly more important.

Thank you for reading through, Please like πŸ‘, share πŸ”— and comment ✍ if you found it useful.

-Nikhil

Further reading / listening

comments powered by Disqus