Alan Zeichick | Content Strategist | October 13, 2023
Start with a proposition: Some or all of your organization’s data must stay within a certain national or regional geographic boundary, whether a state or country or a broader region, such as the European Union. The reasons for this requirement vary. Perhaps there are governmental rules covering your industry, or perhaps you manage specific types of regulated data, such as personally identifiable information (PII). Perhaps there are business-specific or competitive concerns. Whatever the underlying reason, the requirement is called digital sovereignty or data sovereignty.
The latter term, however, is a bit of a misnomer. In many cases, sovereignty compliance requirements go beyond the storage of database tables. All the computers that process regulated data may be required to be within a geography, along with all the networks, data flows, backups, and disaster recovery systems. Sometimes, even the people who have access to regulated systems must be citizens of that jurisdiction or have security clearances.
One way organizations can satisfy digital sovereignty requirements is to store everything in a local data center. Another is to use the cloud—specifically a sovereign cloud that offers all the advantages of cloud computing while helping to meet some digital sovereignty requirements.
Let’s explore the requirements for digital sovereignty and how a sovereign cloud can help an organization stay compliant.
A sovereign cloud is a cloud environment that helps an organization meet its digital sovereignty requirements. Under most sovereignty frameworks, organizations look to protect personal information about individuals. However, sometimes the scope is broader, encompassing intellectual property, software, business methods, financial data, information about IT infrastructure, and even metadata that describes how big a data set is and how quickly it’s growing. A sovereign cloud may be housed at a facility owned by a cloud computing provider and accessed by an organization’s user and non-cloud IT systems over the internet or via dedicated communications links that aren’t connected to the internet.
A sovereign cloud may also be configured as a separate “cloudlike” installation within a large organization’s own data center; the installation acts like a cloud environment and is maintained by the cloud service provider, but it’s physically isolated from the outside world.
A sovereign cloud will have some level of one or more of the following six capabilities; specifics will depend on geographic, regional, and other requirements.
To understand what a sovereign cloud can do, imagine you run a company that does business in the European Union (EU). The EU is an ideal test case because not only does it have overall requirements but so too do each of its member nations. Therefore, every organization charged with maintaining digital sovereignty within the EU must meet both EU and national requirements.
Within the EU, cloud sovereignty laws are guided by an interlocked web of regulators, and regulations are constantly changed—in general, to be stricter. Much of that regulatory evolution is driven by national parliaments and the European Parliament in Brussels in response to both citizens’ demands and constant political pressure for protection against foreign business interests, law enforcement, and courts. That’s where laws such as the EU’s General Data Protection Regulation (GDPR) come in.
Imagine that an organization has subsidiaries with offices, employees, and customers in both Germany and France. There may be some data that can be shared between the two countries while complying with EU requirements, while other data may be restricted by German or French laws and must remain only within the specific country. Both the customer organization and the cloud service provider share responsibility for ensuring the sovereign cloud can meet all those requirements and—just as critical—that it’s configured to do so in ways that are demonstrable to all parties.
A proper EU-compliant sovereign cloud will include EU-wide sovereignty to provide customers with control over data and data flows in compliance with EU regulations, include non-EU access protections to detect, challenge, and block access from outside the EU, and, as appropriate, handle stakeholder notifications and allowable waivers.
Establishing a sovereign cloud can be a complex undertaking, even with a capable provider. However, it pays off in a variety of ways. First and foremost: compliance. Cloud sovereignty broadly addresses geographic, political, and industry regulations, data portability, and compliant data transfers within and between regulatory domains.
In addition, a sovereign cloud delivers the following benefits:
For organizations in heavily regulated industries, running a sovereign cloud inside an owned data center may previously have been the only option. Today, cloud providers can offload much of that burden. But there are five key factors to consider when deciding to move ahead.
Despite the benefits, establishing cloud sovereignty requires an organization’s IT team to overcome some obstacles, including:
Digital sovereignty laws and regulations are complex and becoming more so constantly. Whether organizations use a sovereign cloud or a traditional data center, the regulatory landscape makes it difficult to know what's compliant and what isn’t. A full-service sovereign cloud provider will have both the expertise and processes to keep its offerings up to date as regulations change.
Does an organization merely need to ensure that personally identifiable information (PII) is properly encrypted and stored within national boundaries, or does regulatory compliance extend to the servers housing a document repository, the control systems, and the citizenship and security clearances of all staff with physical access to the hardware? You can’t comply until you know what’s required.
Cloud sovereignty can apply to not only the primary data center but also all backup recovery sites and facilities, which means the cloud service provider must have sufficient resources to offer such facilities within the defined jurisdiction.
Some service providers have built specialized sovereign cloud offerings. As a result, the applications, features, and services they offer in their public clouds may not be available, or fully available, in their sovereign cloud.
Some regulatory regimes require the sovereign cloud to be owned and operated by a service provider headquartered and owned within the specific geographic region. Ensure that a global cloud service provider has the right partnerships, licenses, and legal frameworks in place to meet those requirements.
Companies looking to establish sovereign clouds will need to consider their requirements for these five key features, in addition to any industry-specific or competitive factors at play.
Carefully select the location of your sovereign cloud data center and backup locations based on both compliance regulations and business considerations. Data points to collect include the location(s) of the provider's cloud data centers, the location(s) of other data centers owned by partners, and whether a dedicated sovereign cloud inside the customer's own facility is feasible.
An organization should always be able to choose which companies, partners, and customers—and software and services—can access its cloud environment. In some cases, such as when national security is at stake, the customer may choose a fully dedicated facility.
An organization should control which administrative and technical staff, from both the cloud provider and its partners, may have access to their systems, as well as to metadata about those systems, such as performance and utilization metrics.
Sovereign cloud deployments must be flexible when enabling compliance with regulations and security standards to reflect the possibility of overlapping jurisdictions, each with its own requirements. In some cases, a customer may have unique needs for specific regulatory controls and accreditations.
For many or most customers, an encrypted connection to the public internet may be the best, most affordable, and fully compliant network link. However, some customers or applications may require air-gapped regions totally isolated from the internet or other networks.
You can’t have data sovereignty without encryption, and that goes for data stored in databases, the APIs and other services that provide access to those databases and applications, and also user interfaces. Encryption is a complex subject due to the number and versions of commonly used algorithms, the size of the keys, and regulations regarding storage of and access to the encryption keys. This reality is true whether data sovereignty is enabled within a traditional data center or in a sovereign cloud—though in the case of the cloud, questions about the storage of and access to encryption keys must be resolved in a way that is both compliant and meets business needs.
When a cloud service provider manages the keys, the master encryption key is generated by the sovereign cloud software; when the customer manages the keys, the master encryption key is stored within a secure key vault the provider can’t access. The hardware security module (HSM) comprising those key vaults should be both tamper resistant and tamper evident and able to react if attacked.
Data stored in a database or in a document—sometimes called “data at rest”—should be encrypted by default. This includes data in traditional relational databases, Docker/Kubernetes containers, object databases, file systems, block databases, and even boot records.
Information that is being transmitted over a network—sometimes called “data in transit”—should use up-to-date protocols compliant with standards such as Transport Layer Security (TLS) 1.2 or later and X.509 digital certificates, at a minimum. Local regulations may require even stricter encryption, such as MACsec (IEEE 802.1AE) for Ethernet networks. Such encryption should be enabled by default and never allow data transmission in plain text.
Data sovereignty may have exploded into public view with the passage of the EU’s General Data Protection Regulation (GDPR) in 2016, but that was only the beginning. Each year, countries around the world, as well as regions such as the European Union, revise their data sovereignty requirements. They’re tightening the standards to eliminate ambiguity, reduce weaknesses, improve consumer and political confidence, protect businesses, and respond to geopolitical situations, such as economic conflicts, military conflicts, terrorism, and cybercrime.
Here's one prediction: Digital sovereignty laws and regulations will increase in number and complexity.
Here’s another: Financial and criminal penalties for failing compliance audits or having data breaches that expose regulated data will be harsh.
According to IDC, due to recent economic and geopolitical events, at least 75% of global businesses consider digital sovereignty to be increasing in importance as a business and technology concern. Improving and implementing privacy measures is now the top priority for multinationals.
What’s more, reports IDC, at least half of enterprises will spend more than 25% of their total budgets on the public cloud, with infrastructure as a service (IaaS) in use by 56%. This is prompting increased focus on the cloud component of digital sovereignty requirements.
Fears driving the providers of sovereign clouds, adds IDC, include protecting customer data from access by admin and support staff as well as maintaining business continuity and compliance with disaster recovery regulations.
Resilience is clearly the name of the game.
Overall, cloud sovereignty is a relatively new concept; organizations are only just starting to understand all the implications it will have on their cloud strategies. Implementing a sovereign cloud means coming to grips with new IT requirements for infrastructure, strategy, governance frameworks, and skills. As the sovereign cloud is a long-term play, organizations are focusing on the domains and regulatory environments that have the most-rigorous regulations while investing in monitoring new legislation and changes to industry rules. Because once regulations tighten, they’ll never loosen—it’s a one-way trip.
When choosing a sovereign cloud solutions provider, look for the vendor that delivers the best overall cloud solution that also helps meet your digital sovereignty requirements. Ideally, the services available in the sovereign cloud will be the same as those offered in the provider’s public cloud, with the same service-level agreements (SLAs) for performance, management, and availability.
Ideally, the services available in the sovereign cloud will be the same as those offered in the provider’s public cloud, with the same service-level agreements (SLAs) for performance, management, and availability.
One major factor to consider is whether you can go with a single-vendor solution, which is owned and operated by an approved legal entity within the regulated region. Joint ventures and partnerships can lead to finger-pointing over support issues, integration complexities, slower product releases, and, in some cases, fewer available features.
A sovereign cloud provider should offer data sovereignty as an essential feature of its cloud, not as a bolt-on package or subset of its public offerings. That will make deployment easier because the sovereign cloud uses the same hardware, software, and services as the public cloud, just with greater access control and other compliance restrictions enabled.
Disaster recovery is critical for sovereign cloud planning and deployments; look for cloud regions within the geography that can be configured with recovery and failover remaining within the compliance area.
A sovereign cloud vendor should also have the expertise to help navigate the complex, ever-changing web of regulations. The vendor and the customer should be able to seamlessly share responsibility for compliance, including accreditations as necessary.
Oracle Cloud solutions for sovereignty help clients meet their needs for cloud computing involving data and applications that are sensitive, regulated, or of strategic regional importance, as well as workloads governed by sovereignty and data privacy requirements.
Offered in an increasing number of countries and regions around the world, Oracle’s sovereign cloud solutions provide the services and capabilities of Oracle Cloud Infrastructure (OCI) and help customers meet their digital sovereignty requirements.
For example, with Oracle EU Sovereign Cloud, customers can use the same 100 services available in Oracle’s public cloud regions with the same prices, support, workloads, and SLAs for performance, management, and availability as the standard OCI offering but with a physically separated infrastructure and additional safeguards to protect customer data from jurisdictions outside the EU.
Oracle EU Sovereign Cloud, available since June 2023, is located entirely within the European Union, supported by EU-based personnel, and operated by separate legal entities incorporated within the EU. In addition to the more than 100 cloud services already offered, Oracle applications, such as the Oracle Fusion Cloud Applications Suite, will be available as well.
Designed for data residency and security, the Oracle EU Sovereign Cloud is housed in physically isolated data center space and has no backbone network connection to Oracle’s other cloud regions. Customer access to Oracle EU Sovereign Cloud is managed separately from access to Oracle Cloud’s commercial regions.
In addition, Oracle Cloud is designed for high availability within each cloud region to support disaster recovery within national or regional boundaries—for example, Oracle has dual government cloud regions and commercial cloud regions in Wales. Oracle’s sovereign cloud solutions offer organizations operations, support, and policies that are distinct from commercial cloud regions to streamline and simplify compliance with data privacy and sovereignty guidelines and requirements, even for sensitive customers such as those in the intelligence community or the geospatial industry.
For those organizations that are required to maintain their own encryption keys, or that choose to do so for business reasons, a new OCI External Key Management Service is now generally available in Oracle Cloud. With this service, encryption keys always stay in the custody of the customer and are never imported into OCI, enabling customers to move regulated workloads to OCI while complying with the requirement to store keys outside the cloud.
Oracle provides a broad and consistent set of cloud infrastructure services across 46 commercial, sovereign, and government cloud regions in 23 countries to serve its growing global customer base. As of October 2023, Oracle currently operates 36 commercial regions, 2 EU sovereign regions, and 8 government regions, in addition to multiple dedicated and national security regions.
Another Oracle Cloud offering that can be used for sovereign cloud deployments is Oracle Alloy, a complete cloud infrastructure platform that enables partners to become cloud providers and offer a full range of cloud services. Partners can operate Oracle Alloy independently in their own data centers and fully control its operations to better fulfill digital sovereignty regulatory requirements.
In addition, Oracle Roving Edge Infrastructure extends the power of the cloud beyond the data center, allowing organizations to run selected cloud capabilities in remote and austere environments.
Government networks and highly classified workloads may require customer accreditations and compliance requirements that surpass those of internet-connected sovereign cloud regions. In such cases, Oracle National Security Regions offer additional protection, including the following:
IDC defines “sovereignty” as the capacity for digital self-determination by nations, companies, or individuals. Sovereign clouds allow organizations to use cloud computing while meeting the stringent demands of their national, regional, and industry data sovereignty regulations. With a sovereign cloud, organizations can control their deployment’s location, accessibility, operations, support, regulatory requirements, and even internet connectivity.
Beyond simply keeping data about people private, digital sovereignty affects technical and operational controls, data assurance policies, and even technology supply chains.
Manage access to your data and the underlying infrastructure, both by limiting access and ensuring data availability and portability for those you authorize.
What is data sovereignty?
Governments continually pass laws and regulations about how critical digital information must be stored, where it must be stored, and who is allowed to access it. Data sovereignty encompasses compliance with those laws and regulations by organizations and individuals.
What is a sovereign cloud?
A sovereign cloud is a cloud computing environment that helps the customer ensure that all digital information—including stored data and software as well as data in transit across networks—is compliant with data sovereignty laws and regulations.
What is an example of a data sovereignty law?
The General Data Protection Regulation (GDPR), enacted by the European Union in 2016, has comprehensive requirements for organizations that collect and process the personal information of individuals in the EU.
Who can access information in a sovereign cloud?
Data sovereignty laws may restrict data access to software, services, and users within a specific geography, to companies owned locally, or to those that have specific security clearances or other permissions.
Are sovereign clouds connected to the internet?
For many users, sovereign clouds are connected to the internet via encrypted links with strong access controls. For some government users and highly secure applications, however, the sovereign cloud may be air-gapped and totally disconnected from the internet.
Are cloud backups and disaster recovery scenarios subject to data sovereignty rules?
Yes. Backups and disaster recovery sites must be fully compliant with data sovereignty rules; for cloud sovereignty, that means secondary cloud regions must be within the same geography or regulatory domain.
Why is location important for cloud sovereignty?
Having the ability to choose the geographic regions where they store their data is important for organizations that need to retain control over their data to comply with data sovereignty laws and regulations.