What Does Sovereign Cloud Mean?
A sovereign cloud is a cloud computing architecture that’s designed and built to provide data access in compliance with local laws and regulations. A sovereign cloud service provider will ensure that each subscriber’s data — including their metadata — is protected from foreign access and stored in compliance with the originating country’s privacy mandates.
Cloud sovereignty requires the provider to monitor their cloud and data storage service and prove compliance with local data privacy and security laws. Claims of sovereignty are established with regular assessments of records that log access permissions and data movement in a set period of time. If a cloud provider fails its sovereignty assessments, they may have to pay a penalty or reimburse subscribers for damage caused by rogue access.
The standards for a sovereign cloud can vary drastically depending on where the cloud servers and data are located. For example, some countries and nation states enforce strict requirements for protecting data sovereignty, while in other countries businesses and individuals can determine for themselves how private data will be secured in transit and at rest.
Techopedia Explains Sovereign Cloud
Data access and protection standards may vary according to the type of data that is being stored. For instance, financial and medical data often requires stricter standards for cloud storage than other types of data.
Encryption and Data Sovereignty
To protect sensitive data, a sovereign cloud typically implements a variety of security measures, including:
-
Data encryption — sensitive data is encrypted both in transit and at rest to prevent unauthorized access.
-
Access controls — only authorized users with the proper credentials can access sensitive data.
-
Compliance with regulations — the cloud architecture is designed to comply with relevant regulations and standards for the storage and processing of sensitive data.
-
Physical security — the data centers that host the sovereign cloud are physically secured to prevent unauthorized access.
-
Monitoring and auditing — the sovereign cloud is monitored and audited to detect and respond to any security incidents or threats.
Sovereign Cloud Vendors
Sovereign cloud vendors provide cloud services that meet the specific regulatory and compliance requirements of their customers in different countries and industries. Tier 1 vendors offering sovereign cloud services include:
VMware — offers sovereign cloud services for customers in regulated industries.
Oracle — offers sovereign cloud regions that enforce policies and governance for data residency, security, privacy and compliance.
Microsoft — Cloud for Sovereignty enables public sector customers to meet compliance, security and policy requirements in the Microsoft public cloud.
IBM – the focus of IBM Cloud is helping clients adhere to global sovereignty requirements.
AWS – Amazon has pledged to continue to allow customers to control the location and movement of their data and ensure AWS Cloud services are always sovereign-by-design.
History
Determining the beginning of government intervention in the state of cloud and user data is tricky. However, two events in particular in the early 2010s can be seen as what kickstarted the national and international cloud sovereignty laws: the Prism Program incident, where it was revealed that the American NSA was tapping into user data held by large private companies (like Apple and Google) and Microsoft’s involvement with the Department of Justice in 2013, where Microsoft went to court to fight an FBI warrant for information held on non-US servers, namely, emails of a target account stored in Ireland.
Both instances shined a light on the importance of having clear laws and standards of what organizations and governments can do with user data. In the US, the Stored Communications Act (SCA) of 1986 regulated the storage and use of data stored through communications and transactional records held by third-party organizations. The act provides statutory privacy protection for customers of network service providers.
The CLOUD Act of 2018
Clarifying Lawful Overseas Use of Data (CLOUD) Act amends the 1986 SCA to include modern communication in an international context. The CLOUD Act allows the US government to demand access to data from the clouds of companies subject to US jurisdiction.
This Act doesn’t only include strictly American business and organization, but also foreign entities that operate within the US or with US-citizen data and information. But to prevent repeating previous privacy-intrusion incidents, the CLOUD Act specifies the need for an ongoing criminal investigation before the US government can demand access to a sovereign cloud.