Keeping it local: Cloud sovereignty a major focus of the future

A brief history of cloud computing

The concept of cloud computing dates to the early days of the internet, with time-sharing in the 1960s⁶ through to telecom virtual private networks (VPNs) in the 1990s.⁷ But the mid-2000s marked a paradigm shift with the launch of Amazon Web Services (AWS),⁸ which brought scalable, on-demand compute to the masses. Google, Microsoft, and others soon followed suit, launching their cloud platforms to cement cloud’s foundational role in modern digital infrastructure.

In the past two decades, companies, governments, institutions, and citizens have gradually moved their data and workloads from private infrastructure (think server racks in an office cupboard) to monolithic cloud data centers. In that time, many also adopted a new breed of “cloud native” applications. As vast quantities of data were stored and transferred across global networks, some governments and companies became concerned about its jurisdiction, governance, and ownership, and the term “cloud sovereignty” started gaining traction.

Legal contradictions cause international frictions

Data localization laws may invariably create operational complexity for global businesses. Regulation tends to change frequently, as countries wrestle with national security, data protection, and new technologies. Companies are expected to be increasingly reliant on data, automation, and AI. They should consider how regulation might change, be invalidated, or added to. Compliance today is essential, as is operational agility. Being able to quickly adapt to changes in the regulatory framework is crucial, as hundreds of countries develop their regulatory positions, each with their own nuances, some of which might be inconsistent with one another.

So far, several attempts at regulating transatlantic data flow between the European Union (EU) and United States have been invalidated by the European Court of Justice (figure 1). In the last decade, there has also been a flurry of sovereignty-linked regulation, such as EU GDPR (General Data Protection Regulation), the US CLOUD Act (Clarifying Legal Overseas Use of Data), and some state-level initiatives like the California Privacy Rights Act (CPRA).

Global businesses, as mentioned, need to navigate variation across localized laws. The CLOUD Act, for example, empowers US authorities to access data stored abroad for select law enforcement purposes, but under GDPR, personal data can only be transferred outside the European Economic Area if given an “adequate” level of data protection.⁹ If a company releases data in accordance with the CLOUD Act but violates GDPR, it could face hefty fines.¹⁰ In some cases, governments can reach bilateral agreements such as one between the United Kingdom and United States,¹¹ but these can take time. Instead, companies often resort to end-to-end encryption, where only the sender and receiver can decrypt the data. This means that while service providers might hand over data to law enforcement, the data would be unintelligible without the decryption keys.

To navigate the complex regulatory landscape, data management is crucial. Companies should understand the variety of data types they have, and which classification of data sits in each system (for example, personal information, payments data, regulated financial information). Companies should also consider their “exit strategy” from any current cloud provider, in case of future sovereignty infringements or a changing regulatory landscape. However, the length of cloud contracts, which can be five or more years, and high egress charges (the price to shift data away from a cloud provider) may inhibit customers from migrating between cloud providers.

Localization is a global challenge

The relationship between the European Union and United States is a high-profile example of how data sovereignty frameworks develop, but it’s not the only one. Around the world, many other nations have developed a stance on localization (this is not an exhaustive list):

Russia: One of the earliest and most rigorous enforcers of data localization, Russia’s Federal Law No. 242-FZ mandates that Russian citizens’ personal data be stored within its borders.¹² This has had far-reaching consequences for global companies and brands. For example, LinkedIn has seen access restricted in Russia since 2016, as a consequence of its localization laws.¹³

China: The Chinese Cybersecurity Law (2017) stipulates that “critical information infrastructure operators” store personal data and important business data gathered or generated in China within Chinese territory.¹⁴ China has since consolidated its position on localization with the Data Security Law and Personal Information Protection Law (2021), which enforces classification of data and governs international transfers depending on the classification.¹⁵

Saudi Arabia: Saudi Arabia introduced its Cloud Computing Regulatory Framework (CCRF) in 2018,¹⁶ which specifies data sovereignty conditions on cloud service providers and enforces data residency for certain types of data. In 2021, it introduced its Personal Data Protection Law, under which citizen personal data can only be transferred overseas under a limited set of conditions.¹⁷

Sovereignty concerns are likely to escalate

Data sovereignty is already a prominent theme in international discussions, and its significance is likely to grow. These factors are likely to become more prominent in 2024 and beyond, from tensions between companies and nations regarding personal data, to geopolitics like the Russia-Ukraine war, to cloud complexity, with a blend of hybrid and multi-cloud structures, to data protection and cybersecurity issues. Reliance on data is immense, and cloud will likely be the de facto solution for storing, managing, and analyzing it.

Company vs. state: There is a balance between national security and individual privacy, and high-profile cases have often compelled governments to set assertive jurisdictional boundaries over data. For example, the widely publicized case in 2016 in which Apple refused to bypass the encryption on an iPhone, related to an FBI terror investigation.¹⁸ While this case did not cross jurisdictions, it did underscore the complexities of pitting the interests of state security agencies against data privacy rights and the responsibilities of tech companies to protect user data. Similar cases have occurred across jurisdictions, however, such as the 2013 dispute between Microsoft and the US government over data stored in Ireland that was related to a narcotics investigation.¹⁹

Geopolitics: Global tensions between major powers have resulted in technology and data becoming arenas for diplomatic and trade skirmishes.²⁰ The Russia-Ukraine war has brought data jurisdiction issues to the fore, with Ukraine quickly migrating critical data like its population register, land and property ownership, tax payment records, and education records to cloud.²¹ On the other hand, US-based cloud service providers suspended sales in Russia shortly after the invasion.²²

Cloud complexity: Initially, cloud was about shifting on-premises operations to a single cloud provider. However, today’s enterprises often leverage multiple cloud platforms simultaneously—an approach known as multi-cloud—to benefit from features of each provider, optimizing costs, performance, and scalability. Another common approach is hybrid cloud—a combination of private (on-premises) and public cloud solutions—to allow data-sensitive applications to remain in-house while other workloads can benefit from the expansive resources of the public cloud. While multi-cloud and hybrid cloud strategies offer flexibility and optimization, they also introduce challenges. Data is dispersed across various environments, potentially across different jurisdictions. Each cloud provider may have data centers in numerous countries, each with its unique data protection regulations. This makes the management and governance of data sovereignty more intricate than ever. It’s no longer about navigating the rules of one country but understanding a complex tapestry of global regulations.

Data protection and cybersecurity: Generative AI, machine learning, and automation (which are often enabled by cloud computing) are likely to become pivotal for business operation, prompting governments to be even more scrupulous when it comes to data jurisdiction. Data breaches have become common, and data localization mitigates risks in some instances. The 2020 SolarWinds hack, which impacted multiple US government agencies, highlighted the vulnerabilities of centralized cloud systems.²³ The attack, in which hackers inserted malicious code into a routine software update, showed that security and sovereignty should be addressed across entire supply chains, not just at the individual level. Companies should understand the software-as-a-service and third-party providers their organization uses: which cloud platform they run on, what sort of data they process, what their encryption levels are, and what the risks are. Such incidents make a compelling case for countries to have more control and oversight over data concerning their citizens. Cybersecurity challenges are set to exacerbate: The cost of cybercrime is predicted to be US$14.6 trillion in 2024, more than double the US$6 trillion cost a few years ago in 2021.²⁴

Sovereignty extends beyond geography. It also includes operation and governance. One example is Amsterdam Trade Bank, which was sanctioned by the US government in 2022 over its Russian ownership.²⁵ Its data might have resided in Europe, but the cloud service provider with operational control was US-based and was still able to revoke access to company email accounts and related data. Cloud providers have partnered with local operators to overcome this type of risk, with some governments and other entities demanding that it’s not just enough for the data to reside in a geography; the operator of that cloud infrastructure must also be local.²⁶

As the world becomes more digitally connected, the need to delineate boundaries, ensure security, and protect citizen rights is becoming ever more critical. Emphasis on data and cloud sovereignty is expected to intensify in the coming years, driven by geopolitics, security concerns, and the protection of individual rights.

Sovereignty solutions are an opportunity but also a challenge for cloud providers

Cloud service providers, recognizing the growing importance of data sovereignty, have rolled out various products, services, and features. Government cloud solutions are one example—specialized cloud computing environments tailored to meet the strict regulatory and compliance needs of governmental agencies.

Cloud providers have extended cloud services to the enterprise edge. One example includes a fully managed service that deploys the infrastructure (and therefore, cloud services) to clients’ on-premises location.²⁷ Another allows enterprises to run cloud services from their own data center, ensuring data remains on-premises or within a particular jurisdiction. Cloud service providers tend to offer a portfolio of solutions, to cater to businesses that need to keep data within certain regions due to regulatory requirements.²⁸

Such products are aligned with “distributed cloud,” though all may not be strictly labeled as such. Distributed cloud refers to the distribution of public cloud services to different physical locations, while the operation, governance, updates, and evolution remain the responsibility of the originating public cloud provider. In simpler terms, it’s about bringing the cloud closer to where data is generated and consumed.

While these services offer a range of benefits, including latency, they also come with some drawbacks compared to traditional cloud services, such as:

• Cost: Distributed cloud solutions often require upfront investments in hardware and infrastructure, as opposed to traditional cloud services, which are pay-as-you-go. Also, even though the main cloud provider manages the software stack, the onsite hardware can lead to additional maintenance costs. Finally, IT teams might need training to manage and operate these new distributed cloud environments efficiently.
• Complexity: Integrating distributed cloud services with existing on-premises systems can be complex. Operating in a hybrid or multi-cloud mode likely means managing workloads across different environments.
• Limited services: Distributed cloud offerings might not have the full suite of features available in the central public cloud. Features and updates available in the central cloud might take time to become available on distributed cloud platforms.
• Constrained scalability: While traditional public cloud services offer virtually limitless scalability, distributed cloud solutions might be limited by the local infrastructure’s capacity. Increasing capacity might necessitate additional hardware investments, whereas in a traditional cloud, it’s often a matter of provisioning more resources through software.
• Vendor lock-in: Relying on a particular cloud provider’s distributed solution can lead to vendor lock-in, making it challenging to switch providers or use multi-cloud strategies without significant efforts and costs.
• Performance: The performance of distributed cloud hardware on-premises might not always match the performance of the infrastructure in the cloud provider’s data center. Even with on-premises or edge deployments, there might be scenarios where data needs to traverse to the central cloud, leading to potential network bottlenecks.

For cloud providers, growing demand for sovereign cloud might create an opportunity to sell more high-value services, but on balance, it could chip away at profitability. For them, the economically optimal outcome is to sell hyperscale public cloud in every jurisdiction without restriction. But the fragmentation of global cloud infrastructure, with bespoke architectures tailored to stringent compliance mandates, can lead to higher operational costs, and squeeze margins, even if such services are sold at a higher price. That said, it’s an opportunity for local service providers, as well as traditional hardware vendors, especially as customers increasingly rely on hybrid cloud (and hence need a lot of infrastructure).

The bottom line: Companies should act, not react

For companies operating in today’s global digital economy, adhering to regulations about how data is stored, managed, and processed is critical not only to avoid significant legal repercussions and fines, but also to maintain trust with customers and partners. As geopolitical landscapes shift, regulations may be updated, and concerns over data privacy intensify, a company’s ability to navigate data and cloud sovereignty issues can directly impact its market reputation, operations, and bottom line. Companies should act to best position themselves.

Firstly, they should conduct a comprehensive data audit. This should include identifying data sources, and classifying data based on sensitivity. For instance, personal user data might be treated differently from anonymized analytics data or metadata. Companies should also consider a data residency strategy if they don’t have one. This involves deciding where data will reside based on technical performance needs (like latency) and regulatory requirements, and might mean using local data centers, distributed cloud, or cloud regions. And finally, companies should review their data storage and transfer policies, and ensure data is encrypted, at rest and in transit. If data does cross borders, encryption can offer an added layer of protection against unauthorized access.

Leading practice would also involve investing to understand local regulations, which might involve engaging local experts, and also training staff across multiple departments (e.g., IT, legal, operational), particularly as regulations change and evolve. Beyond that, companies should be as transparent as possible with partners, clearly communicating to customers and supply chains how and where their data is being stored and processed. For supply chains in particular, companies should ensure they understand how and where suppliers store and process data. Finally, companies also need to develop a strategy in case of data repatriation for scenarios where data needs to be moved back from a cloud or foreign server to a local server. If possible, they should ensure any contracts with cloud providers have provisions that allow for changes.

Sovereignty is a journey that should be embedded in current cloud strategies, and all cloud users may need to design and architect for sustainable and sovereign platforms. That journey should include three stages:

1. Advise, in which a company should define its sovereignty posture, design its sovereignty strategy (which would include data and workload categorization), and develop proofs of concept to prepare for sovereignty.
2. Implement, in which a company should architect sovereignty and implement data controls.
3. Operate, in which a company should manage its sovereignty ecosystem, build methods to improve observability and risk monitoring, and consider automation and cost optimization.²⁹

Cloud sovereignty is a major strategic issue for multinational companies. Getting things right can instill greater customer confidence, reduce the risk of legal repercussions, and secure a company’s data assets. And the regulatory landscape is unlikely to stand still. If bytes of data are like grains of sand on a beach, then regulatory changes are the tide that can disrupt, reshape, and wash it away. Companies should ensure compliance and foster trust. One way to do that is to remain constantly vigilant, always learning, and prepared to adapt as the regulatory tide changes.