What is sovereign cloud, and how can your organisation benefit from it? In this blog post, Wenche Karlstad guides you through the regulatory maze and explains how to deal with sensitive data in cloud.Watch also related webinar!
Behind the move to make clouds sovereign is the need for digital sovereignty. In practice, this is all about data: where does it reside, where is it flowing, and who has control over it? These questions are critical for a modern data economy, where data means power. Inevitably, cloud services come under the spotlight. They are the engines of the data economy.
European industries and public sector organisations are storing more and more data in cloud data centres. As everyone knows, this playground is dominated by American tech giants. Now, regulation has caused a legal limbo around cloud. Among the driving factors are the US Cloud Act and similar laws in other countries such as China. They are in conflict with new EU rules and decisions by the EU Court of Justice, in particular a ground-breaking case coined Schrems II.
The European Union wishes to mitigate dependence and the risk of foreign access to critical data, also considering that cloud is the powerhouse of AI, and other essential technology. EU regulations, such as GDPR, Data Act and Data Governance Act, are meant to control the flow of data across borders to prevent the risk of access to data by non-European authorities. In particular, the rules demand that sensitive or critical data stay on sovereign soil. This is emphasised in the Schrems II judgment. As a result, Chief Data Privacy Officers now need to understand and assess what data is stored in the cloud and whether any of that data is being transferred outside of the EU.
The amount of metadata that cloud providers are collecting is much greater than people realise. The collection is often automatic and may include data such as IP addresses, credentials, as well as logging and diagnostic reports. The recommendation is to do a thorough data classification and application assessment to secure compliance. Organisations must deploy the right applications and the right data into the right cloud, whether it is private, hybrid or native public cloud.
It is necessary to differentiate what data can be classified as critical according to national and regional security standards. First, there are different classification tiers such as public, confidential or restricted data, which vary by country or region. Second, there are different types of industry data such as national, corporate, or personal. That is why the first thing to do is a full data and application assessment.
Today, sovereign cloud lacks a definition that is commonly accepted or used in the industry. But fundamentally it is about data, its ownership, trust, control, national interests, and compliance with regulations. Why?
A sovereign cloud ensures all data including metadata stays on sovereign soil and prevents foreign access to data under all circumstances. It provides a trusted environment for storing and processing data that can never be transferred across borders and must remain under one jurisdiction. Sovereign cloud is really about protecting and unlocking the value of critical data. Sovereign clouds are mature and well-established solutions that are part of emerging multi-cloud landscape. They also provide all the other core benefits of cloud such as agility, security and automation.
In the end, sovereign cloud should be a part of a multi-cloud strategy. It just demands understanding that not all data is the same and that there are differences between clouds. The clouds have a different value proposition, and organisations must use each flavour side by side. It’s time to update your cloud strategy to match the current regulatory maze and take sovereign cloud as part of the palette.
Above all, digital sovereignty is the right of the nations, organisations and citizens to have control over their digital autonomy and their data. The sovereign cloud infrastructure is the connected ‘highways’ needed to unlock all the potential of the data-driven economies and promote the innovation of the society through digital technologies. Digital ecosystems need to flourish through collaboration and open access to commonly architected data hubs. The values of openness, trust and transparency, as well as the inclusiveness that we are proud of in the Nordic countries deserve to be guaranteed through digital empowerment.
We are here to guide you through the maze, so don’t hesitate to contact us to continue the discussion.
Learn more about our services here to ensure that your data is protected and kept sovereign with a trusted, cloud infrastructure and data platform provider.
Wenche is passionate about creating value for our customers and enabling growth with attractive service offerings. She has near twenty years of experience in the IT business with different roles within management and advisory, bringing new services to the market.
In her current role as Head of Strategic Differentiation Programs at Tietoevry Connect, she is leading a global team of experts and managers.