Sovereign Clouds – Paradox or Paradigm?

Regulatory pressures aside; the changing dynamics of data control, privacy, security and localisation are being the big nudge for sovereign clouds to really emerge as a big market need and business model.

What do you do when you have something really precious to keep in a bank locker? Chances are, you prefer a bank that’s in close proximity—preferably, somewhere in your neighbourhood. It is both a logistical, and psychological, comfort to know that your ‘stuff’ is nearby. Of course, without compromising on the bank’s credentials and ability to guard your chattels.

“The shift towards Sovereign Clouds is not only a response to regulatory requirements but also reflects a broader industry dynamic where organisations prioritise control, security, and compliance in an era of evolving data protection standards and increased cybersecurity threats.” - Rajesh Awasthi, Vice President & Global Head of Managed Hosting and  Cloud Services, Tata Communications

So why does that not apply to lockers called clouds? Or does it? Specially after a slew of regulatory disruptions around data localisation in many countries and industries. From SEBI’s principle-based framework for cloud adoption and recommended baseline security measures (that entail data ownership and data localisation), to GDPR’s de facto localisation requirements, to RBI’s requisites on storing payment data, to the ‘fresh from the oven’ Digital Personal Data Protection Bill, 2023 – it’s time we looked at sovereignty of data as major factor in cloud models. Here we go.

Does Sovereignty matter?

A sovereign cloud takes care of not just regulatory requirements but control issues for an enterprise user. The data, including metadata, never leaves the soil—and access to data is limited to employees and workloads specific to that region.

Recall a 2022 McKinsey report that pointed out how 75 percent of all countries have implemented some level of data localisation rules. The format may change but the underlying pressure is the same. Some enterprises may need a replica of their workloads in the local infrastructure, some have to align with permission-based regulations based on consent and some work with extra investments on security and privacy of customers’ data.

“One emerging technology that could help is confidential computing, which encrypts data not just at rest and in motion, but also during processing. It can be a path to accommodate the intent of the law, and perhaps its letter.” - Shahin Khan, Founding Partner & Analyst, OrionX

Compliance and governance issues put new constraints on data movement and custody, which impacts processing and policies—explains Shahin Khan, Founding Partner & Analyst, OrionX. “Cloud providers must deal with the kind of complex regulations and bilateral treaties that is reminiscent of what telecommunications companies have had to manage. For global cloud providers, it is just another set of regulations, and they have the wherewithal to handle it.”

Rajesh Awasthi, Vice President & Global Head of Managed Hosting and Cloud Services, Tata Communications seconds that. “Yes, sovereign clouds are indeed emerging as a critical demand area, particularly in the wake of regulatory emphasis on data localisation and control. The growing need for cloud-scale capabilities, coupled with evolving data protection regulations, has prompted organisations to adopt hybrid cloud environments that integrate public cloud, private cloud, and on-premises infrastructure. Sovereign cloud technology plays a pivotal role in these environments by allowing organisations to maintain control over sensitive data while benefiting from cloud-scale computing and storage capabilities.”

As seen in ‘IDC FutureScape: Worldwide Future of Digital Infrastructure 2023 Predictions – APEJ Implications’— By 2025, 50 per cent of  the Asia-based 2000 (A2000) organisations could give priority to the trusted infrastructure of sovereign clouds to ensure consistent security and local/regional regulatory compliance for specific sensitive workloads and data.

But as Dario Maisto, Senior Analyst, at Forrester observes, there is no real demand for sovereign clouds in isolation. “Organisations are looking at ecosystems of vendors and service providers across different fields from infrastructure to security and network services that can help them with their digital sovereignty needs. Localising data in the sovereign nation does not help if those data are not adequately protected against cybersecurity attacks or are exposed to non-sovereign applications or get operated by non-sovereign citizens.”

Does Sovereignty hurt or help?

While compliance pressures may leave not much choice for many industry players (specially in verticals like healthcare and BFSI), the accompanying investments and reshuffle can be too much of a lift-and-shift work for even the most deep-pocketed player. But then, it could also have its benefits in the form of less compliance costs, better customer confidence and hardened security perimeters.

The question is – will all this be something that providers can easily roll with?

Khan opines that on balance, it might even promote the use of large cloud providers since it’s a complexity they can handle on behalf of their clients. “But it could be a burden on smaller players and can hinder their growth. One emerging technology that could help is confidential computing, which encrypts data not just at rest and in motion, but also during processing. It can be a path to accommodate the intent of the law, and perhaps its letter, if it is accepted as sufficient fulfillment of the requirements for data protection and governance.”

Seems like cloud players, including major hyperscalers are taking note of this shift. There is something like the Oracle EU Sovereign Cloud with regions in Spain and Germany that are separate from Oracle’s commercial and government cloud regions. As claimed by the company—this separated EU cloud architecture simplifies and strengthens digital sovereignty and controls.

At the time of writing this article, even AWS European Sovereign Cloud was in progress apart from some digital sovereignty features that AWS has already packed in some offerings. The AWS EU Cloud – as per some incipient press updates—could give customers in highly regulated industries and the public sector further choice and flexibility to address evolving data residency and resilience requirements in the European Union (EU); and also allow customers to keep all metadata they create in the EU. VMware already has a Sovereign Cloud for sensitive and regulated workloads—and its latest customer is the Government of Monaco. Google Cloud has a Digital Sovereignty Explorer and Microsoft has something called Microsoft Cloud for Sovereignty that offers what it calls ‘trusted public sector solutions’ that would help an organisation migrate, build, and digitally transform workloads in the Microsoft Cloud while meeting compliance, security, and policy requirements.

Manish Gupta, Vice President, Infrastructure Solutions Group, Dell Technologies India acknowledges the gravity of this need. “In today’s world, business outcomes are increasingly tied to business agility–the speed to reach the market and the ability to adapt to market changes. This leads to the growing adoption of technologies, and among all options, many enterprises turn to public clouds to improve operational reliability and scalability. However, as the saying goes, “every coin has two sides”, and as more data and applications move through the cloud, we also see it giving rise to several concerns around data gravity and data sovereignty.”

Gupta explains that generally, global privacy and data protection laws provide strong frameworks and mechanisms to transfer personal data to other countries and economic regions, if required. Organizations should be able to build better visibility into the clouds they use —but it all hinges on effective data management. “When businesses start working directly with their audit, compliance and legal teams to ensure that they fully understand the regulations. At Dell Technologies, we help businesses navigate their way through sovereignty pathways while also protecting their data in accordance with their organizational and regional requirements.”

“When businesses start working directly with their audit, compliance and legal teams to ensure that they fully understand the regulations. At Dell Technologies, we help businesses navigate their way through sovereignty pathways while also protecting their data in accordance with their organizational and regional requirements.” - Manish Gupta, Vice President, Infrastructure Solutions Group, Dell Technologies India

What would matter here with any sovereign cloud strategy is the ability to offer a true-blue sovereign solution instead of half-baked answers – like the ones being promised through encryption, logical isolation, and one-off features.

Maisto maintains that true digital sovereignty involves key management, encryption, control towers, access management policies, sovereign IoT devices and network components, beyond sovereign cloud infrastructure.

Awasthi brings in the indigenisation angle too. “Tata Communications has always been on the forefront in empowering India and the highly regulated industries within it with a resilient, self-reliant, and fully sovereign cloud. Bolstering India’s resiliency, our cloud platform has been ‘Made in India’ and ‘Made for India’ and takes care of data sovereignty, residency and privacy requirement of critical data used by various regulated entities. Our secure and compliant sovereign cloud offers peace of mind to regulated bodies by ensuring data privacy and sovereignty that safeguards extremely sensitive and valuable data—with both user data and control metadata deployed, monitored, and managed 100% in country and governed by the law of land.”

“True digital sovereignty involves key management, encryption, control towers, access management policies, sovereign IoT devices and network components, beyond sovereign cloud infrastructure.” - Dario Maisto, Senior Analyst, at Forrester

The ‘India focus’ is being addressed by Dell also. Gupta shares, “Sovereign clouds, managed by trusted solution providers like Dell, offer a secure environment for organizations to store and process data, reducing the risks associated with offshore cloud services. Furthermore, they foster economic growth by encouraging the development of indigenous cloud infrastructure. It also supports the national agenda of a ‘Digital India’, and promoting self-reliance in technology. Sovereign clouds in India are pivotal in balancing innovation with data security and sovereignty, ushering in a new era of digital resilience.”

“This trend is reshaping how businesses approach cloud adoption and underscores the importance of balancing technological innovation with regulatory compliance and national interests,” Awasthi opines.

So, will cloud providers shift their tents in a major way? Will their customers shift if they don’t? Time will tell. Or the stuff in those lockers—wherever it moves.

By Pratima H

pratimah@cybermedia.co.in