What Does Sovereign Cloud Mean?
A sovereign cloud is a cloud computing architecture that’s designed and built to provide data access in compliance with local laws and regulations. A sovereign cloud service provider will ensure that each subscriber's data -- including their metadata -- is protected from foreign access and stored in compliance with the originating country's privacy mandates.
Cloud sovereignty requires the provider to monitor their cloud and data storage service and prove compliance with local data privacy and security laws. Claims of sovereignty are established with regular assessments of records that log access permissions and data movement in a set period of time. If a cloud provider fails its sovereignty assessments, they may have to pay a penalty or reimburse subscribers for damage caused by rogue access.
The standards for a sovereign cloud can vary drastically depending on where the cloud servers and data are located. For example, some countries and nation states enforce strict requirements for protecting data sovereignty, while in other countries businesses and individuals can determine for themselves how private data will be secured in transit and at rest.
Techopedia Explains Sovereign Cloud
Data access and protection standards may vary according to the type of data that is being stored. For instance, financial and medical data often requires stricter standards for cloud storage than other types of data.
Determining the beginning of government intervention in the state of cloud and user data is tricky. However, two events in particular in the early 2010s can be seen as what kickstarted the national and international cloud sovereignty laws: the Prism Program incident, where it was revealed that the American NSA was tapping into user data held by large private companies (like Apple and Google) and Microsoft's involvement with the Department of Justice in 2013, where Microsoft went to court to fight an FBI warrant for information held on non-US servers, namely, emails of a target account stored in Ireland.
Both instances shined a light on the importance of having clear laws and standards of what organizations and governments can do with user data. In the US, the Stored Communications Act (SCA) of 1986 regulated the storage and use of data stored through communications and transactional records held by third-party organizations. The act provides statutory privacy protection for customers of network service providers.
The CLOUD Act of 2018
Clarifying Lawful Overseas Use of Data (CLOUD) Act amends the 1986 SCA to include modern communication in an international context. The CLOUD Act allows the US government to demand access to data from the clouds of companies subject to US jurisdiction.
This Act doesn’t only include strictly American business and organization, but also foreign entities that operate within the US or with US-citizen data and information. But to prevent repeating previous privacy-intrusion incidents, the CLOUD Act specifies the need for an ongoing criminal investigation before the US government can demand access to sovereign cloud.
Access and Power
It’s no surprise that data is considered the "oil of the future." Data is incredibly valuable because it has the power to influence entire markets, as well as political and economic landscapes. Without proper laws in place, personal information can be abused for profit and influence.
Still, instead of repressing data in hopes of keeping its owners safe, there are ways the massive amounts of data stored in the cloud can be incredibly beneficial for future projects and innovation. For example, the International Data Spaces Association aims to put sovereign data to use in Internet of Things (IoT) and Artificial Intelligence (AI) projects all over Europe.
Gaia-X is also working on developing a federation of data infrastructure that’s sovereign, efficient, competitive, yet secure and trustworthy.