How the global trend to sovereignty and sovereign resilience has driven a global technology provider to establish a Sovereign Cloud Partner Program

We talk a lot about our digital economy but in truth, what Is really driving economies these days is data. Digital technologies – cloud, AI, IoT for example might be the engine, but data is unquestionably the fuel.   

With predictions that an estimated 149 zettabytes of data (1,000,000,000,000,000,000,000 bytes) will be created, copied and consumed around the world by 2024, it is little wonder there is increasing concern that some 92% of the Western world’s data is stored in the US alone.

While public cloud has been a major driving force behind digital transformation over the last decade, the accompanying growth of global, public cloud hyperscale platforms and the resultant concentration of data, is rapidly shifting from a conversation about convenience to a concern about risk.

Two parallel trends are also currently in play.

First, the rapid rise in volume and sophistication of cyber threats targeting public and private organizations has put unprecedented urgency on the need for much improved national security postures, with an emphasis on the protection of sovereign data.

Second, besides the obvious health and social disruption caused by the COVID-19 pandemic, the vulnerability and reliance that nations and companies have on critical third-party supply-chain infrastructure and data services has been spectacularly exposed.  

The conflation of data sovereignty and data residency

While the increase in national data privacy and security sensitivities in the last few years has manifested in a tightening of a range of nation data access and sharing regulations (e.g., GDPR in Europe, similar laws in the US, China, Russia, India), it is the results from a 2021 IDC survey related to perceptions of public cloud and data that are especially telling.

Involving global decision makers from the public sector, financial services and health care industries, the survey identified significant concern about the vulnerability of confidential and restricted data stored in commercial clouds (some 70% of respondents).  The concern – not only that critical data may not remain on sovereign soil – but given the changing geopolitical landscape, that it may be managed by US cloud providers (79%). Largely driven by mistrust of the US CLOUD Act, which can compel US owned/based cloud providers to disclose details of the data they host, over 60% of respondents said they wanted a cloud service that provides complete jurisdictional control and authority over their data.  Data residency, i.e., having data stored and processed and resident onshore, is not enough.  

Whilst convenient to conflate data sovereignty and data residence, they are not the same.

Data sovereignty refers to data being subject to the privacy laws and governance structures within the nation where that data is collected – subject to the exclusive legal protections of that nation and explicitly protected from any other jurisdiction asserting authority over the data.  Data residency simply refers to where data sits within a geographical location.

This distinction is important in the context of another nuanced term, i.e., customer data versus account data, as applied by hyperscale vendors.  

Whereas customer data, provided by the end-user is fully controlled by the end-user organization and governed by the terms of agreement between the cloud provider and the customer organization, account information is categorized and managed differently.  

Typically subject to a separate Privacy Policy, the small print allows for account data to be stored in or accessed from, multiple countries, including the authority to control if or when data is released.

Account data includes a lot of metadata – data about the data, often automatically collected with little customer awareness (e.g., network, IP, computer, device, credentials, streams, downloads, usage, errors, diagnostics, settings, preferences, backup information, API calls, and other logs).  While not ‘personal’ Information, it can still provide critical insight about the nature of personal and/or confidential Information.

This is important because given the business models of hyperscale cloud vendors, account data routinely moves to wherever it needs to be managed, anywhere around the world. While on the one hand customer data may be stored in a cloud in an in-country data centre, a broad range of other and equally sensitive information, is not.  

The pivot to Sovereign Cloud

“If you allow another country to gain access to really critical data about your society, over time, that will erode your sovereignty – you no longer have control over that data.”

Richard Moore, Head of MI6, UK

Sovereign data protection requires that all data, including customer data, metadata, support data, account information, etc. remains resident within that sovereign jurisdiction.

The increasing relevance of data sovereignty to digital and security resilience and ultimately sovereign resilience, has inevitably focused the spotlight on cloud.

In the same breath as forecasting that some $482 billion will be spent on public cloud services in 2022, Gartner separately signals the growth of, and growing trend towards, digital and data sovereignty, specifically sovereign clouds. 

The fact that In October last year, global technology provider VMware, announced their VMware Sovereign Cloud Partner Program is illustrative to not just a growing global interest in the protection of sovereign data but recognition that the tide is rising for dedicated sovereign cloud frameworks and infrastructure.

According to VMware, Sovereign Clouds help protect and unlock the value of critical data. They help improve control of data, demonstrate compliance with privacy laws, and deliver a national capability for digital innovation. To provide the assurances customers need, it identifies the following five characteristics of a Sovereign Cloud.  

Data sovereignty and jurisdiction control

At its core, and for all the reasons already identified, a Sovereign Cloud is about data sovereignty and jurisdictional control. A Sovereign Cloud must, as a minimum, ensure not only that all data will remain resident within national boundaries, but that data is subject only to the jurisdictional control and authority of the nation where that data is collected.  There must be no ability for extraterritorial jurisdictions to assert any authority over access to the data. This includes customer and account data, metadata etc.

Security and Compliance

A Sovereign Cloud must provide the necessary security controls to protect data – designed around the specific security frameworks and compliance standards related to the data that is being stored/hosted/managed.

Access and Integrity

A Sovereign Cloud must have the infrastructure, data management and protection services to ensure data access, availability, accuracy, consistency and validity. It must enable and assure customers that they can access and consume their data with confidence to deliver their business services and outcomes.

Independence and Mobility

A Sovereign Cloud should empower the customer to deploy and move applications and data when and where needed as business conditions change and without vendor lock-in.

Data Innovation and Analytics

Finally, a Sovereign Cloud should help customers unlock the value of their data to drive business innovation – and value.

What does that mean for Australian organisations?

Back in Australia, recognition of the increasing importance of data and data protection has already driven considerable change. The ACSC’s Cloud Assessment and Authorization Framework (CAAF), the DTA’s Hosting Certification Framework and the recent and impending amendments to the Security Legislation Amendment (Critical Infrastructure Protection) Act all signal greater awareness and acceptance of the value of data and the importance of data protection to Australia’s social, economic, and national security interests.

In a world where we’re heading towards 149 zettabytes of data within the next 2 years; where we risk having some 92% of the world’s data located in a single territory, in the hands of a smaller handful of companies; and where the volume of cyber-attacks is rising exponentially and with increasing ingenuity, it has never been more important for all of us to think about where our data goes and who can access – especially when we don’t and may never know.

Take the next step

As a VMware Sovereign Cloud Partner, AUCloud provides a range of sovereign Infrastructure-as-a-Service that customers and third-party service providers can easily access and use – and with the same scale, automation, elasticity, and lower costs associated with hyperscale public cloud offerings. Get in touch to see how we can support your digital transformation journey today.

1800 282 568