What are sovereign clouds

There is no single ideal concept of a sovereign cloud — each operator provides its own vision of this service.

One of the most demanding models of the sovereign cloud is offered by the American provider Oracle. It contains the following requirements:

• Physical placement of data within one country;
• The client can control who exactly gets access to his information and from where;
• Technical support and maintenance of servers should be carried out only by citizens of one state;
• The cloud complies with the legislation of the hosting country;
• There is a dedicated server connection to the Internet.

Separately, Oracle also created a sovereign cloud for the needs of the EU — thanks to it, corporations operating within the European Union can immediately receive an infrastructure that meets the requirements of the GDPR (General Data Protection Regulation), the recommendations of the European Data Protection Council, etc.

Google Cloud does not have its own separate service of this type, so every time it forms partnerships with local telecom companies to create sovereign clouds in different countries. So far, the system works well in Germany, where the local company T-Systems has separate infrastructure control capabilities on the Google Cloud platform, and the technical support consists only of EU citizens. A similar service is also implemented in France, Italy and Spain.

Microsoft launched its own sovereign cloud Cloud for Sovereignty in July 2022. It operates on the basis of more than 60 regional Azure data centers, provides access to all standard Microsoft cloud services (Microsoft 365, Dynamics 365 and Azure platforms) and allows you to manage the placement of your data in these services and in other products deployed in the cloud.

Amazon Web Services maintains that its clouds are “sovereign by default,” and in 2022 it launched a “Digital Sovereignty Commitment,” pledging “uncompromising oversight” of its customers and their compliance with sovereignty requirements. The user independently chooses exactly where his data is placed, who has access to it and how it is encrypted.

Why is this necessary?

The regulatory requirements of some areas require a sovereign cloud, in particular, it concerns the public sector, financial services, and the field of health care. This is the data that is especially important to protect from external interference, because it is a state secret and other confidential information that is particularly vulnerable to the actions of attackers.

It is not necessary for the business as a whole to have a sovereign cloud, but it is recommended – it is easier to comply with requirements such as GDPR, the company’s work looks more reliable, and customers do not have a problem with information protection. This is especially convenient for small and medium-sized businesses that do not have significant resources to understand all the requirements of information protection – it is easier to delegate to a reliable cloud operator.

When a service provider hires only citizens of this country, cooperates with local contractors, pays all taxes and funds to the budget of its state, it supports the national economy. And it is more convenient to pay with it: since the legal entity of the provider is registered in the same country, payment is made in the same currency, and the contract is valid in the same legal field.

VMware Sovereign Cloud

One of the most widespread concepts of cloud sovereignty is the system created by VMware. Providers whose product conforms to this framework are granted VMware Sovereign Cloud Provider status. The main idea: all operator data placed in the cloud is subject to the exclusive control of the state where it was collected, and operations with it are carried out according to national legislation.

If we take a closer look, according to VMware, the sovereign cloud:

• protects critical data of private and public organizations;
• supports the national economy;
• uses tested and approved at the state level security controls;
• ensures compliance with data privacy laws;
• improves the client’s control over information.

In total, the company checks providers for compliance with 20 technical requirements and principles before granting Sovereign Cloud Provider status.