Choosing the Right Cloud for Data Sovereignty

As recently spotlighted at VMware Explore US, Sovereign Cloud continues to gain momentum.​ Sovereign Cloud business estimated TAM is $60B by 2025, in no small part due to the rapid increase of data privacy laws (currently 145 countries have data privacy laws) and the complexity of compliance in highly regulated industries.​

As the need to monetize data grow and nations seek to realize the true value of data, VMware is delivering on our Sovereign Cloud position: Sovereign Security, Sovereign Compliance, Sovereign Control, Sovereign Autonomy, and Sovereign Innovation.

Previously, we looked at what data sovereignty is and how it impacts business operations when it comes to personal, sensitive or classified data. Now let’s look at how an organization can better comply with data sovereignty laws by choosing the right cloud architecture.

Most businesses have moved to cloud computing for at least some of their data. Cloud provides greater flexibility, scale, and computational power than traditional on-premises data centers. While public clouds are popular for their high capacity and low costs, some organizations have started moving data out of them to comply with regulations. 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.1 Some have moved data back on-premises, whereas others are using a mix of public and private clouds.  Ultimately, protecting and realizing national data has never been a more important factor in building a cloud.  From the combination of increasing country regulations:  compliance with the US Cloud Act, EU’s GDPR, China’s Personal Information protection law with data privacy laws in 132 countries and with an annual increase of ~10%, choosing the right Data Sovereignty solution has become a hot topic.

To better understand why a business may choose one cloud model over another, let’s look at the common types of cloud architectures:

• Public – on-demand computing services and infrastructure managed by a third-party provider and shared with multiple organizations using the public Internet. Public clouds are usually multi-tenant, meaning multiple customers share the same server, although it’s partitioned to prevent unauthorized access. Public clouds offer large scale at low cost.
• Private – infrastructure is dedicated to a single user organization. A private cloud can be hosted either in an organization’s own data center, at a third-party facility, or via a private cloud provider. Private clouds are generally more secure than public due to limited access and can meet regulatory requirements such as data privacy and sovereignty. However, they require more resources to set up and maintain.
• Community – shared cloud that is integrated to connect multiple organizations or employees for collaboration. This can be multiple private clouds connected together to facilitate the exchange of data. These are frequently used by regulated industries where public clouds are not compliant, but they are complicated to set up due to having multiple groups involved.
• Government – a type of private or community cloud designed specifically for government bodies to maintain sovereignty and control
• Multi-cloud – using multiple public clouds to take advantage of different features. An organization may host some services in one cloud and others with a different provider. This model has the highest level of security risk due to the volume of data and access.
• Hybrid – a mix of public and private clouds. The term is sometimes also used to refer to a mix of public cloud and on-premises private data centers.

While public clouds are suitable for public information that isn’t subject to data sovereignty laws, a hybrid or other more private solution is needed for overall compliance. Private clouds can meet data sovereignty requirements, but they need dedicated data centers, operated either by the organization itself or via a provider using dedicated hardware. This can be expensive and time-consuming.  The quickest or off the shelf solution may not include the level of security or compliance necessary to be sovereign.  Key factors in consideration are jurisdictional control, local oversight, data portability and customizability to name a few.

Sovereign cloud is an option designed specifically to meet data sovereignty requirements. Think of this as a semi-private cloud, combining some of the best features of public and private. They are operated by experienced cloud providers that are smaller, local, multi-tenant operations. A sovereign cloud provides the data sovereignty benefits of a private cloud without the IT headaches.

Sovereign cloud can be used in conjunction with public cloud as part of a hybrid cloud architecture. Data and services subject to data sovereignty laws would live in the sovereign cloud while non-sensitive data and services might live in the public cloud. The exchange of data between these clouds must be carefully controlled to ensure compliance.

When it comes to finding a sovereign cloud provider, customizability, flexibility and frictionless implementation is critical. You need to be able to audit operations and access to make sure compliance is maintained. Local, self-attested sovereign cloud providers can follow implement and build residency requirements correctly so that data residency and sovereignty requirements are met. Cross-border restrictions and jurisdictional control must also be understood addressing privacy concerns with no remote processing of data.  At the end of the day, true sovereignty ensures that other jurisdictions are unable to assets authority over data stored beyond national borders; fostering national data interest and growth.

True Sovereign Clouds require a higher level of protection and risk management for data and metadata than a typical public cloud. Metadata, or information about the data such as IP addresses or host names, must be protected along with the data itself.  VMware Sovereign Cloud providers  offer transparency around security measures, both cybersecurity protections and physical security in the data center.

VMware Sovereign Cloud providers  are…

• trusted approved partners in providing best in class IaaS Security and compliance
• experts in local platform builds as well as local data protection laws
• able to provide solutions for data choice and control, cost efficient (TCO) solutions that are flexible and customizable
• able to grow with customer needs providing a complete solution that is future proof  

Customers requiring sovereign solutions demand the expertise and transparency offered by VMware Sovereign Cloud providers…ensuring  security and compliance with local data privacy and sovereignty laws. This expertise and transparency becomes invaluable, enabling  data  security and compliance.

Find your Sovereign Cloud provider today, check out the latest VMware Sovereign Cloud Infographic or join the conversation via our Linkedin community at  VMware Sovereign Cloud | Groups | LinkedIn

Source: IDC, commissioned by VMware, Deploying the Right Data to the Right Cloud in Regulated Industries, June 2021