Sovereignty in the Cloud Environment – What Does it Mean?

Originally published by T-Systems International.

Written by Moritz Nowitzki.

Why a Sovereign Cloud?

For those currently considering a cloud transformation in Germany, the concept of a Sovereign Cloud is unavoidable. But what does sovereignty entail, and why is it so crucial?

European businesses require the Public Cloud to fuel their growth, yet they must align it with legal regulations. Sovereign Clouds, on the other hand, bring together data, software, and operational sovereignty, enabling companies to act autonomously. This paves the way for self-determined sustainability in utilizing available resources.

From Niche to Everyday Experience – Germany is Digital

The debate over when the internet was actually born may persist. The fact remains that, in 2022, 93 percent of Germans and around 5.3 billion people worldwide were already "connected" to it – a trend on the rise. According to estimates, by as early as 2025, the annually generated data volume will reach 181 zettabytes. Initially, even experts believed the internet to be a niche application with only a few use cases, but today, it's an integral part of the private and professional lives of most individuals.

The digital mindset has fully taken hold of Germany, whether it's about paying at the supermarket checkout or handling governmental matters: Fueled by the constraints of the COVID-19 pandemic, what is sought after today is what functions flexibly, quickly, and reliably. A significant driver of this evolution is the cloud, which through the internet presents ever-new solutions for e-commerce, autonomous driving, artificial intelligence, and the Internet of Things. But what happens to all these data, and who has access to them?

A New Perspective on Digitalization

The wild days of youth when business decision-makers debated whether their company should "go online" are long gone. Internet activities are now part of the repertoire of modern companies of all sizes. Quite naturally, they discuss day in and day out how to use the internet and its technological offspring like the cloud to create value for new business models and technical innovations. In addition to the search for greater efficiency and new sales opportunities, the aspect of sustainability is also moving more and more into the spotlight. Today, companies and users are aware that (almost) anything is possible on the internet, so they are seeking solutions that also meet their requirements for ethics, data protection, and resource conservation. And they rightfully demand these solutions with confidence.

What is permissible in digitalization?

Digitalization isn't just about technical discussions. Because technical possibilities frequently encounter organizational questions such as: What are we allowed to do? Under what conditions can we process which data? Can we maximize the technical capabilities in a way that propels us forward while also having a positive impact on society? A question that is answered differently from culture to culture, from legal jurisdiction to legal jurisdiction. As intuitive as digitalization might feel, it doesn't exist in a legal vacuum and is not an end in itself.

Connecting Digitalization Potential with Compliance

European businesses need to find ways to harness the (competition-relevant) potentials of digitalization while simultaneously adhering to the regulations applicable within their legal jurisdictions. This includes handling entrusted third-party data, such as within the scope of the EU GDPR (European General Data Protection Regulation), as well as safeguarding internal company data within collaborative value networks and protecting intellectual property. Once again, digitalization raises questions of trust, including those directed towards platforms utilized for digitalization, particularly cloud solutions.

Expectations of Sovereign Clouds

Many companies anticipate a significant boost in innovation from sovereignty-based approaches. They expect Sovereign Clouds to encompass the following requirements: the agility and innovation potential of the cloud environment, compliance with applicable regulations, and the ability to autonomously influence ethical or ecological factors. Users expect not only data protection security, full control over their data, and adherence to legal requirements but also high reliability, transparency, and interoperability. Meeting these expectations instills confidence in users, assuring them of control and flexibility regarding their data and the operation of their cloud services.

What is digital sovereignty?

But what does digital sovereignty actually entail? At first, it's just a buzzword – much like digitalization and the cloud. Sovereignty pertains to a company's business environment. It signifies comprehensive decision-making authority over how one's own business and company evolve. Business sovereignty must be reflected in digital sovereignty. And this has at least three technical facets – which are especially applicable when using a cloud solution.

First Component: Data Sovereignty

Data sovereignty primarily encompasses complete and sovereign control over data access. The data owner must have the assurance that their data in the cloud or data center is not manipulated, deleted, copied, or viewed by unauthorized entities – including the cloud provider. The current optimal approach for data sovereignty consists of two fundamental elements: storing and processing data within a defined legal jurisdiction and utilizing encryption. An external encryption method is best suited for this purpose – key management must occur outside the provider's cloud and be externally managed.

Second Component: Software Sovereignty

The core principle of a sovereign cloud is to shield customers from dependencies. Vital to this is the ability to seamlessly migrate applications to other IT infrastructures at any time, including an internal infrastructure. This is, for instance, one of the BaFin requirements for the exit strategy of a financial institution. Imagine a company wanting to transfer its data from an external cloud to its own servers to maintain full control and flexibility. Alternatively, a company migrates its data from a conventional cloud to a more sustainable server solution to promote the use of renewable energy. With software sovereignty, companies have the freedom to choose their applications, allowing their use cases to operate independently of specific infrastructures. This effectively avoids vendor lock-in. The open and transparent path is significantly influenced by the open-source approach.

Third Component: Operational Sovereignty

What happens if cloud providers decide to build backdoors? Or if they don't offer certain security settings or decide to simply shut down their cloud platform or cease offering it within a specific legal jurisdiction? Blind trust is insufficient for companies in such cases. Cloud users need the guarantee that their cloud providers will further develop the environment in a way that the platform's evolution doesn't undermine the principle of sovereignty. This means ensuring the platform remains future-proof and fully capable while simultaneously preventing unauthorized access to the platform's inherent functionalities.

Sovereign Cloud: Control and Predictability

Companies require control levers and predictability. They must be assured that the entire IT infrastructure (beyond data processing) behaves as if the resources were on their premises or under their sufficient control. They also need the guarantee that they can continue to operate their workloads even if the cloud platform were to disappear. What's needed is a cloud implementation with minimal dependency on the cloud. A true sovereign cloud is characterized by the combination of transparency and control over processes within the cloud infrastructure and future-proofing or independence.

Zero Trust for Sovereign Cloud?

For this, the sovereign cloud must implement a consistent Zero Trust model. Decryption processes and administrative accesses must be 100 percent transparent and auditable for customers. This also applies to changes in security configurations. Only admins from authorized legal jurisdictions should be able to access cloud resources. Furthermore, the sovereign cloud must be designed as an open platform. Workloads must be consistently orchestrated across multi-cloud landscapes – and be readily moved from the sovereign cloud to other platforms.

Sovereign Cloud as Part of the Hybrid Cloud World

Throughout all this, it's essential not to forget – the sovereign cloud doesn't come in a "one size fits all" package. The business reality will be the hybrid cloud. And sovereign clouds will be part of this business reality – wherever companies want to ensure that they fulfill all necessary regulations in agile business projects. Or where they prescribe themselves a high level of security, such as secure data sharing within value networks. In other words, there's no objection to running a webshop in a public cloud.