Choosing the Right Cloud for Data Sovereignty

As recently spotlighted at VMware Explore US, Sovereign Cloud continues to gain momentum.​ Sovereign Cloud business estimated the total addressable market (TAM) will be $60bn by 2025, in no small part due to the rapid increase of data privacy laws (currently 145 countries have data privacy laws) and the complexity of compliance in highly regulated industries.​

As the need to monetise data grows and nations seek to realise the true value of data, VMware is delivering on our sovereign cloud position: sovereign security, sovereign compliance, sovereign control, sovereign autonomy, and sovereign innovation.

Previously, we looked at what data sovereignty is and how it impacts business operations when it comes to personal, sensitive or classified data. Now let’s look at how an organisation can better comply with data sovereignty laws by choosing the right cloud architecture.

Most businesses have moved to cloud computing for at least some of their data. Cloud provides greater flexibility, scale, and computational power than traditional on-premises data centres. While public clouds are popular for their high capacity and low costs, some organisations have started moving data out of them to comply with regulations. Some 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.

Some have moved data back on-premises, whereas others are using a mix of public and private clouds. Ultimately, protecting and realising national data has never been a more important factor in building a cloud. From the combination of increasing country regulations: compliance with the US Cloud Act, EU’s GDPR, China’s Personal Information protection law. With data privacy laws in 132 countries and with an annual increase of ~10%, choosing the right data sovereignty solution has become a hot topic.

To better understand why a business may choose one cloud model over another, let’s look at the common types of cloud architectures:

• Public – on-demand computing services and infrastructure managed by a third-party provider and shared with multiple organisations using the public internet. Public clouds are usually multi-tenant, meaning multiple customers share the same server, although it’s partitioned to prevent unauthorised access. Public clouds offer large scale at low cost.
• Private – infrastructure is dedicated to a single user organisation. A private cloud can be hosted either in an organisation’s own data centre, at a third-party facility, or via a private cloud provider. Private clouds are generally more secure than public due to limited access and can meet regulatory requirements such as data privacy and sovereignty. However, they require more resources to set up and maintain.
• Community – shared cloud that is integrated to connect multiple organisations or employees for collaboration. This can be multiple private clouds connected together to facilitate the exchange of data. These are frequently used by regulated industries where public clouds are not compliant, but they are complicated to set up due to having multiple groups involved.
• Government – a type of private or community cloud designed specifically for government bodies to maintain sovereignty and control.
• Multi-cloud – using multiple public clouds to take advantage of different features. An organisation may host some services in one cloud and others with a different provider. This model has the highest level of security risk due to the volume of data and access.
• Hybrid – a mix of public and private clouds. The term is sometimes also used to refer to a mix of public cloud and on-premises private data centres.

While public clouds are suitable for public information that isn’t subject to data sovereignty laws, a hybrid or other more private solution is needed for overall compliance. Private clouds can meet data sovereignty requirements, but they need dedicated data centres, operated either by the organisation itself or via a provider using dedicated hardware. This can be expensive and time-consuming. The quickest or off the shelf solution may not include the level of security or compliance necessary to be sovereign. Key factors in consideration are jurisdictional control, local oversight, data portability and customisability to name a few.

Sovereign cloud is an option designed specifically to meet data sovereignty requirements. Think of this as a semi-private cloud, combining some of the best features of public and private. They are operated by experienced cloud providers that are smaller, local, multi-tenant operations. A sovereign cloud provides the data sovereignty benefits of a private cloud without the IT headaches.

Sovereign cloud can be used in conjunction with public cloud as part of a hybrid cloud architecture. Data and services subject to data sovereignty laws would live in the sovereign cloud while non-sensitive data and services might live in the public cloud. The exchange of data between these clouds must be carefully controlled to ensure compliance.

When it comes to finding a sovereign cloud provider, customisability, flexibility and frictionless implementation is critical. You need to be able to audit operations and access to make sure compliance is maintained. Local, self-attested sovereign cloud providers can follow implement and build residency requirements correctly so that data residency and sovereignty requirements are met. Cross-border restrictions and jurisdictional control must also be understood addressing privacy concerns with no remote processing of data. At the end of the day, true sovereignty ensures that other jurisdictions are unable to access authority over data stored beyond national borders; fostering national data interest and growth.

True sovereign clouds require a higher level of protection and risk management for data and metadata than a typical public cloud. Metadata, or information about the data such as IP addresses or host names, must be protected along with the data itself. VMware Sovereign Cloud providers offer transparency around security measures, both cybersecurity protections and physical security in the data centre.

VMware Sovereign Cloud providers are…

• trusted approved partners in providing best in class IaaS Security and compliance
• experts in local platform builds as well as local data protection laws
• able to provide solutions for data choice and control, cost efficient (TCO) solutions that are flexible and customisable
• able to grow with customer needs providing a complete solution that is future proof  

Customers requiring sovereign solutions demand the expertise and transparency offered by VMware Sovereign Cloud providers – ensuring security and compliance with local data privacy and sovereignty laws. This expertise and transparency becomes invaluable, enabling data security and compliance.

To find out more on how to improve data control and compliance with sovereign clouds click here.