A brief introduction to the sovereign cloud

The ​“someone else’s computer” problem

What is a sovereign cloud? It is a cloud implementation that is intended to retain data within a specified jurisdiction. To meet that criterion, the data must not be transmitted, processed, or stored outside of the intended jurisdiction. All sovereign cloud implementations are on a spectrum of practice, which must be considered carefully.

You may have heard the cloud described simply as ​“someone else’s computer” and, while reductive, it’s largely correct; your data is being processed on someone else’s processor, transferred over someone else’s network and stored on someone else’s storage. That gives us significant economies of scale, access to systems and resources otherwise unavailable to us, and leverage of tried and tested solutions.

Trusting ​“someone else’s computer”

The primary tradeoff of using cloud services is that we need to trust the cloud provider with our data. Similarly, others who have entrusted data to us need to be able the trust the cloud provider too. To guarantee the rights of cloud users, both direct and indirect, jurisdictions have implemented legislation around data sovereignty. Sovereign clouds are an attempt to satisfy this legislation while still providing the benefits of the cloud. An example of such legislation is Quebec’s Law 25 that comes with many requirements, including that all personal information transferred outside Quebec is covered by a privacy impact assessment (PIA) with equivalent protection afforded to personal data stored in Quebec.

Practicalities of sovereign cloud implementations

Sovereign cloud implementations come in a variety of forms, ranging from simply providing services located within the target jurisdiction, to a fully locally owned and operated cloud with no foreign legal influence. This means that ​“sovereign cloud” may mean anything in-between, and it is important to be clear when discussing solutions as to the exact level of sovereignty required. What may seem like a minor detail may actually have large implications.

There are other dimensions to consider in choosing the correct solution, such as software used, interactions with external services, and the use of AI models. While these are usually only considered when handling particularly sensitive data, recent high-profile events such as the XZ Utils library compromise (CVE-2024 – 3094) would recommend some prudence for even relatively mundane cloud deployments.

Making a choice
 

Reasons to use a sovereign cloud solution:

• Current legal obligation — sometimes the only legally acceptable solution is a sovereign cloud.
• Future legal obligation — there may be a compelling business justification for using a sovereign cloud to be protected against future legislative changes, and the significant cost of adapting to meet them.
• Marketing — customers are likely to be more predisposed to using a product or service if they are aware that their data is stored and managed within their jurisdiction.

• Technical — a sovereign cloud solution is likely to have improved responsiveness, and greater reliability as data will likely be stored closer to the users.

  
  
  

Where to turn

This article just scratches the surface of the sovereign cloud topic. At Mara Consulting, we have extensive experience in developing cloud strategies and solutions. Whether you are picking the correct solution for a new cloud deployment, migrating existing services to the cloud, or elevating cloud-based solutions, we can provide your organization with the benefit of decades of industry-proven experience and support you in achieving or exceeding your goals.