Sovereign Clouds: Partner Perspectives on Safeguarding Critical Customer Data

As VMware gains momentum with their sovereign cloud initiative , we turned to leading partners AUCloud, Datacom, STC, NxtGen, TietoEVRY, ThinkOn, and UKCloud and their customers to find out why a sovereign cloud is essential.

With new national data protection and privacy laws continuing to take shape across the globe and penalties confirming the punitive power of existing regulations, it’s no surprise that highly regulated industries are turning to sovereign cloud solutions. But by all accounts, the demand for cloud infrastructure that tightly controls where data resides (and how it is managed, protected, and shared) now extends beyond entities such as government, defense, financial services, and healthcare.

We recently connected with partners within the growing VMware Sovereign Cloud initiative to learn more about the demand for sovereign cloud solutions they see, what’s driving that momentum in their eyes and those of their customers, and what CIOs should consider.

In addition to being VMware Cloud Verified, all of the partners who provided insights have earned the VMware Sovereign Cloud designation – a distinction reserved for those who can address sovereignty requirements that encompass everything from where data resides to how it is stored, serviced, and shared. Their experience reflects a rapidly changing regulatory environment, the nexus of myriad IT trends, and brings to light several increasingly universal conclusions.

All are ideally qualified to help their customers achieve and maintain the highest standards for data integrity, including absolute control over data access, transparency and visibility into the provider’s operation, the knowledge that their information is managed appropriately, and access to VMware’s growing ecosystem of sovereign cloud solutions. These include the new developer-ready cloud services powered by VMware Tanzu and enhanced data protection and security offerings from ecosystem partners Cloudian, Fortanix and Veeam. Customers also benefit from the development of a national digital infrastructure capability that increases protection from outside threats.

Notably, in the last several years, it has become increasingly clear that for organizations in highly regulated industries, a sovereign cloud is crucial. In some sectors, particularly government, it’s an already mature requirement.

“The NxtGen Sovereign Cloud is purpose-built for government agencies that store their internal data and information on citizens used to deliver services,” says A.S. Rajgopal, CEO of NxtGen. “Completely isolated from other cloud platforms, it is designed to comply with the requirements mandated by India’s Ministry of Electronics and Information Technology and the Computer Emergency Response Team, the agency within the ministry that oversees cybersecurity.”

Rajgopal adds that all customer data, metadata, and escalation data are kept on Indian soil at all times in an ironclad environment.

For its part, Datacom has provided sovereign cloud solutions for over a decade in Australia and New Zealand to more than 50 government agencies. Ross Delaney, Director of the Datacom Cloud, notes that all of its customers’ data must remain within their respective countries.

“Many customers have policy and privacy requirements that restrict sensitive data being stored, accessed, or available in any way offshore,” he says. “For example, the government agencies we serve in New Zealand require that all data on the nation’s citizens be kept in New Zealand. In Australia, we provide services to courts and judicial bodies. Much of this information is exceptionally sensitive and must also be kept and protected in country.”

Controlling the legal jurisdiction of data, and protecting it from unauthorized access, is also something with which UKCloud is very familiar. Its sovereign cloud service is used by customers across the nation’s government, healthcare, and defense communities and the company’s government-grade data centers are staffed by employees with security clearance. 

Expanding on the need for sovereign cloud solutions, UKCloud’s Solutions Director, James Maynard, indicates that “traditionally, the prominent reason for sovereignty has been data residency, protecting data from foreign jurisdiction laws, and surveillance, which is still vital, however the critical importance has broadened. Sovereign cloud solutions can enable secure, reliable access to data, giving organisations the power to drive innovation through unlocking the value of their data to drive digital transformation. There is also a need to have flexibility whilst maintaining the legal jurisdiction of your data to ensure it is protected from unauthorised access. For instance, when working with a London NHS research hospital, the primary concern was initially security due to the sensitivity of patient data, which then, through the flexible approach of our sovereign platform, allowed them to adapt the platform to analyse COVID-19 data sets for 2.5 million people and allow the collaboration of scientific research groups.”

The regulatory environment is changing

Outside of public-sector deployments, it’s also well known that enterprises must comply with important data-oriented legislation including the Patriot Act in the United States, the Digital Privacy Act in Canada, Europe’s General Data Protection Regulation (GDPR), and Brazil’s General Data Protection Law. Increasingly, though, that is only the beginning.

World events, including the rise of increasingly sophisticated criminal syndicates and nation states intent upon conducting cybercrime, are prompting more data protection and privacy legislation that requires sovereign cloud capabilities. In the United States, for example, enterprises must now also be mindful of state regulations.

Sovereignty of course is crucial because companies outside of the jurisdiction of any such laws may not follow them. It’s a point not lost on Franciso Romerogotor, Lead Service Owner at Finland-based partner TietoEVRY, which serves the Nordic region.

“The explosion of data and the opportunities that come with it is driving the need for cloud solutions, and more specifically sovereign cloud solutions,” says Romerogotor. “Digital sovereignty is about the right to own data, where it is stored, and who has control over it. The most affected sectors and industries were those that were most regulated—specifically, the public sector, health, and finance. But in practice, it’s now equally applicable to all businesses that are subject to GDPR and other regulations.”

The need for sovereign cloud now extends across industries

Customers stress that a sovereign cloud solution is increasingly required across industries by any company that works in an environment in which stringent data protection and security requirements are in place. Nimble Information Strategies is a customer of VMware Sovereign Cloud partner ThinkOn. Daryl Stott, Nimble’s Vice President of Digital Transformation, puts it this way:

“The success of any digital mailroom or document digitization solution relies heavily on the accuracy, security, and accessibility of the digitized documents. Not only does that extracted data need to be highly accurate, but the authority, control, and accessibility of this data must reside within Canadian Federal and Provincial boundaries to meet the data residency obligations of Nimble Information Strategies’ customers,” says Stott. “Nimble partners with ThinkOn to align our data residency and security business needs with the strict data sovereignty demands and expectations of our clients.” 

It’s a point echoed by Andrew Thomlinson-Munn, Solutions Architect at Hummingbird Solutions, a customer of AUCloud.

“Providing digital and managed services solutions across a broad range of industries, it is imperative that we meet the constantly evolving challenges of data protection, availability, and governance,” he says. “Hummingbird Solutions choose to work with AUCloud as an IaaS provider for their strength in delivering hosting solutions on a proven platform with VMware and their ability to provide a sovereign cloud solution to conform to our customers’ internal and regulatory compliance requirements. The benefit of working with a VMware Sovereign Cloud certified provider is that this provides Hummingbird Solutions with the confidence that we are backed by a best-in-class infrastructure solution.”

Simultaneously, these same solutions must also be intuitive while providing users with high performance access to data. It’s something Geoff Smith, Managing Director of the United Kingdom’s Geoff Smith Associates (GSA), a customer of UKCloud, stresses.

“As a SaaS supplier to both the public and private sector, UKCloud has provided GSA with an assured, agile, and value-for-money proven platform with their VMware Sovereign Cloud,” says Smith. “This provides choice and flexibility, which is a prerequisite when you need to support your distinct capabilities, skills, and tools without compromise—and also conform to customers’ internal and regulatory requirements. Providing GSA and our customers with a secure yet easy and simple data sovereign cloud infrastructure gives the staff at GSA great confidence in the skills and expertise of UKCloud.” 

If you are concerned with data residency, a sovereign cloud deserves consideration

Perhaps most importantly, there is a rising need for enterprises and CIOs to explore whether a sovereign approach to the cloud is warranted and if so, to address it expediently to mitigate risk.

“We did research on our local market and found that some critical customers were struggling to build their own data center,” says Nawal A. Alharkan, Product Manager, Cloud Infrastructure Services at Saudi Telecom Company (STC). “They can’t get help from the local service provider since they are only offering public cloud services. STC decided to implement the sovereign cloud to cover the market demand and be the first to fulfill these requirements.”

And for those CIOs who don’t believe they need a sovereign cloud? Phil Dawson, Managing Director at AUCloud, believes it’s a question they need to ponder themselves.

“Do you know where your data goes?” asks Dawson. “Do you know who can access it when it moves around the world?  What level of business, operational, or reputational risk can your organization tolerate when your data cannot be accessed, or when its confidentiality is breached, or its integrity compromised because it was moved outside of the country or could legally be accessed by a foreign government?”

Dawson also notes that the answers to these questions reveal some of the many reasons sovereign cloud solutions are needed.

“In our view, there is a convergence of factors driving the need for sovereign cloud solutions and services,” he says. “These include the growth of the technology itself, the increasing volume of data and the velocity of data flows, heightened community and individual sensitivity and awareness of the need to protect data, and finally clear international trends such as the GDPR in Europe – all of which put the spotlight on nation states wanting to provide assurance to their citizens that their data is protected. At the end of the day, any organization that is the custodian of sensitive data must ensure it is secure and confidential, is available when it is needed, and has not been tampered with or changed – that the integrity of the data has not been compromised.”

These are questions and thoughts for all CIOs to ponder.

For more perspectives on Sovereign Cloud solutions, read the latest partner blogs from AU Cloud, NxtGen, ThinkOn and Tieto.  For additional information on VMware’s Sovereign Cloud initiative, read the latest news release and blog or find a VMware Sovereign Cloud provider.