Sovereign cloud or Secured Cloud?

There is quite a lot of debate about Sovereign cloud, Cloud security and GDPR compliance.

Here is a technical perspective of the topic without getting into legal and political debates. 

Threats to IT Services:

  • Data integrity and confidentiality – This is the main driver due to which there is increased demand for Data Security, encryption, Threat protection.
  • Service resilience and Availability – Implementing highly available service and continuity even during different level of failure attracts additional IT assets and cost. This high-cost requirements seldom gets compromised due to inhibiting cost vs value analysis.
  • Adoptability of innovation – Typically business innovation teams and CTO teams look for more freedom and flexibility and relaxed security due to nature of new tech. This is often key cause of conflicts with business, security and IT teams and seldom takes lower priority due to threat perception.
  • Increased User Demands – Due to explosion of new tech and higher engaging end user experience in retail, product companies, Telco and other private sector, there is higher demand on public sector systems whether it is about energy utility, tax office or pension systems. End users always expect higher efficiency, better feature, latest information, and user relevant content.
  • Geo-political threat perception – With lots of cases of data leakages, wiki leaks and political conflicts there is low trust in many service providers especially ones which are in cross geography jurisdiction. With recent direct and indirect armed conflicts across the globe, the IT and network threat perception is raised significantly high. Look at this list of cyber incidents on public sector in last few years.

Key challenges and mitigation options:

  • Data Classifications – Quite often we have seen teams marking most part of local data set as confidential or secret. Quite often due lack of to data isolation and several data duplication forces teams to mark large part of data sets as confidential or secrete.
    • Defining the characteristic of personal data, limiting to key characteristics such as names, addresses, contact information, social security are critical.
    • Data de-duplicated, reconciliation is essential for IT for many reasons. MDM can help achieving better data quality and data centricity.
    • Widely used Industry best practices classifies Data into Restricted, Confidential, Internal, Public.

Data classification example from Gartner : ref

Instead of looking at whole data sensitivity problem as big problem, there are ways to slice and dice it into multiple layers and fix it a slice at a time. Data classification and data landscape mapping is very important first step.

  • Data Confidentiality: Data hosted by Datacenter service providers or Cloud providers present potential security risks, such as unauthorized access to data and data breaches. Quite often the local connectivity, storage, backup and DR in the local datacenter is not encrypted due to legacy reasons of false sense of security.
    • It is essential to ensure that the service provider has appropriate security measures in place to protect the data that is stored and processed. The inhouse datacenter or smaller local datacenter provider can never compete against the multi level security protection and automation of Hyperscaler.
    • Hyperscaler provide several functions of encryption and security protection configurable. But it is at the end responsibility of consumer or System integrator to implement encryption for internal and external network, storage, archive, IDS, IPS, WAS, etc
    • It is extremely important to have key management strategy and best practices defined independent of Hyperscaler or hosting providers. With several possibilities including software and hardware options for key management, the customer can be in complete control of data confidentiality.
    • Leveraging Well architected framework AWS or Azure we can adopt multi level industry standard approach to achieve the data confidentiality. 

Devil is in the details. Just by hosting the data and apps in local server or data center doesn’t protect it from data risks. Multi-level security protection and automation in security validation, compliance, detection and execution is essential.

  • Data Residency and Sovereignty: One of the biggest challenges in using a public cloud for government agencies is ensuring that data is stored and processed in compliance with GDPR requirements around data residency and sovereignty. Government agencies need to ensure that data is stored within the EU and that the cloud provider has appropriate data residency guarantees in place.
    • Microsoft, AWS & Google have invested in datacenters in EU especially in Ireland. They have acquired most of security and compliances certifications including ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR etc. Refer Azure compliance per geography. Or AWS compliance programs
    • Last few years we have seen increased appetite by Hyperscalers in accepting the Data Residency terms and conditions.
    • Legal complications such Cloud Act, SCHRIMS II, EU-US Privacy shield are ongoing for last several years, and quite uncertain how long it will continue. ref
    • There is increased threat perception especially for EU based public sector, energy utility, and critical infrastructure. And these are not only about Data leakage, but significant risks of service resiliency and availability. Here is list of cyber incidents on public sector . Recent concurrent DDOS attacks on Sweden - utility, airline, hospitals by “Anonymous Sudan”.
    • There is increased adoption of public cloud for low sensitivity classified Data with the help of right security & compliance implementation.

There are aspects of security and compliance regulatory which are taking too long to arrive at clear resolution. At the same time there are apparent risks to the current status quo due to cyber threat potential, business demand, missing opportunities. Therefore, more pragmatic time bound and adaptable approach is essential.

  • Agility and scalability – Quite often while balancing compliances and security needs there is lots of compromise on innovation ability and agility of the platform. Cost of small scale highly sovereign secured platform forces to limit the scalability.
    • The traditional security approach demands predictable systems, networks, logs and assets. With new distributed, granular architecture with automated DevOps lifecycle makes it challenging to validate the architecture, releases, and operations for security in real time.
    • Public cloud providers are more appealing option for agility and scalability due to their Infrastructure as a code, pipeline as a code and security as a code approaches. It takes minutes or just programmed triggers to invoke security measures when needed.
    • SecOps using Security as a code is quite critical to in the entire lifecycle. Leveraging security standardization in landing zones, Policy and compliance monitoring are critical in bringing automation in security. Refer SecOps Automation best practices

With new advance threats, it is essential the automation and agility of the IT platform is quite essential whether it is a scalability of infrastructure or security implementation. With broader DevOps adaption and modern architecture, modernizing and automating security is key.

  • Cost vs Flexibility: While using a public cloud can provide significant cost savings for government agencies. Sovereign cloud hosted in private datacenter, and higher agility, security and scalability can be significantly costly. There is debate that owned Sovereign cloud can provide more customization especially for VMs or containerized workloads. But this can be no comparison to amount of flexibility in configurability, X as a code models, observability, which Hyperscaler can bring in. There is also costs for data migration, integration, and training.
    • A cost-benefit analysis is essential while choosing Sovereign cloud hosted in private datacenter vs Secured cloud hosted in public cloud provider. An hybrid cloud approach that combines on-premises and public cloud solutions could offer greater combination of flexibility and control.
  • Contractual Control: Agencies may feel that they are giving up control over their data and IT infrastructure by using a public cloud service. This risk can be mitigated by ensuring that appropriate contractual agreements are in place and that the cloud provider has appropriate policies and procedures in place for data management and access.
    • Exit Strategies: Government agencies should have appropriate exit clause in place in case they need to switch cloud providers in the future. While IAAS, Containerization gives protection against vendor lock in, the serverless or SAAS options can still provide alternatives by focusing on data and functional parity with slightly higher cost of change.
    • GDPR DPA: Appropriate contractual agreements, including a GDPR compliant data processing agreement (DPA), should be in place between the government agency and the cloud provider to ensure that all parties understand their roles and responsibilities.
  • Cost of doing nothing: We have seen many organizations spending sometime 3-4 years in making decisions about the strategical sovereign cloud. The cybersecurity risk perception in Feb 2023 has been raised at the highest ever level in last 30 years. Increased attacks by state actors during current geopolitical complications makes decision making difficult for CxOs.

Looking at current demand of transformation as well current threat perception and risks to compliance it is essential that the action to change the current IT hosting is necessary. Several locally hosted sovereign cloud alternatives are up for grab and good alternatives in short term. However, agencies who are heavily invested in their own datacenter, it is essential to evaluate cost vs benefit analysis while objectively looking at security and compliance for modern IT applications serving agile end user experience. Hyperscaler certainly provide viable platform and in partnership with right Internal IT capability or System integrator, most of the majority business demands can be fulfilled with higher data confidentiality.

Additional References:

Contact us:

By submitting this form, I understand that my data will be processed by Sogeti as described in the Privacy Policy.*

  • Mahesh
    Mahesh Koli
    VP Cloud Transformation, Sogeti Ireland