Many major cloud players have been talking about the sovereign cloud in recent years. Microsoft, AWS and Oracle are the most prominent among them. They all promise to keep enterprise and government data shielded from third parties, while allowing customers to free themselves from the constraints of an on-prem infrastructure. According to VMware, the hyperscalers cannot actually deliver on these promises, we learned during VMware Explore.
Businesses are very much eager to take advantage of the cloud. The benefits of a migration to the cloud are now widely known. Unlike an on-premises infrastructure, it offers scalability, rapid deployment and no maintenance costs. To make the most of the cloud, the deployment of corporate data is increasingly important. For example, those looking to reap the benefits of generative AI can do so at a rapid pace by using their own data and external cloud services.
The value of this data cannot be underestimated, says Guy Bartram, Director of Product Marketing at VMware. Everyone needs to realize that data is “effectively a new economy,” he argues. He compares it to the rise of coal in the nineteenth century. “You don’t just give that away.” Clearly, data is worth protecting properly. Regulators know this too, which means there are tough challenges ahead for all kinds of industries. Bartram cites the GDPR, but also DORA (Digital Operations Resilience Act), an EU law that forces financial institutions to protect themselves more robustly against cyber threats. In addition, no one with valuable data wants someone else to be able to access it. How can cloud vendors take care of that?
What is truly sovereign?
Over the past year, several parties have promised to deliver a sovereign cloud. Microsoft, Google, AWS and Oracle all have cloud services that guarantee data residency within their own region. In our neck of the woods, that means it should be stored within the European Union and under EU law. CSO of Amazon Stephen Schmidt told us last year that the sovereign cloud is just a “marketing term” that has become in vogue of late.
Read more: AWS never talks about sovereign cloud, but definitely has it, says Amazon CSO
Initially, Bartram seems to share that view. “The problem is that everyone has jumped on the terminology of sovereign cloud when there is no real definition. Now we have confusion in the market: hyperscalers claim to have sovereign services, so do their partners, and cloud vendors do as well.” Time to create some order in the chaos. In practical terms, there is a spectrum of sovereignty, Bartram argues, with the air-gapped isolated environments of military agencies on one extreme and, at the other end, public clouds on which data can be encrypted with proprietary keys. “The more you move toward public cloud, the less sovereign it is,” he says. He emphasizes that it’s about who has jurisdiction over where you run your cloud.
And therein lies the problem, Bartram believes. According to him, the announcements by AWS and co are diluting the term “sovereign”. The BSI, Germany’s IT security body, has expressed support for AWS’s recently unveiled European Sovereign Cloud. This very much to the annoyance of France, which was conspicuous by its absence from the announcement of that new cloud solution. A French politician expressed concern about Berlin’s move to back AWS shortly afterward. The German decision also surprised Bartram. AWS states that only employees within the EU have “control over the operations and support” of AWS European Sovereign Cloud. This is mainly to ensure that the U.S. government is not allowed to peek into the data of European companies. Bartram evidently does not consider that a credible promise. AWS is and will remain a U.S. entity, which he says remains subject to the regulatory framework of intelligence agencies in Washington. Those authorities are allowed, thanks to the U.S. CLOUD Act, to request all data managed by U.S. companies.
Germany’s decision to chart its own sovereign cloud path was therefore surprising. If Europe does not collectively support a strong degree of sovereignty, Bartram sees it as a missed opportunity. “We are on the cusp of a new game changer with AI and machine learning,” he observes. There’s an opportunity now, he believes, to construct an AI-focused infrastructure on a sovereign basis. And time is running out. “AI will not evolve in a linear fashion,” he says. He thinks that in 10 years, applications will all be AI applications.
What role does VMware play in this?
“VMware has a very strict approach to what we see as sovereign,” says Martin Hosken, Chief Technologist, Cloud. “It’s not only important where the data lives, but also who has access and who has control.” In short, he too claims that AWS cannot deliver on the promises of data protection. “That’s not their fault, it’s not under their control,” Hosken concludes. Some measures by AWS with the European Sovereign Cloud would be sufficient for “some governments,” he believes, but would not solve the core issue. “Microsoft has the same problem.”
Also read: Microsoft introduces ‘sovereign’ cloud for European governments
There is at least one legal gray area present, according to Hosken: he points to Google’s work with some VMware partners that operate data centers within the EU. There is no evidence yet that America cannot still claim that data, despite the fact all the hardware is under the ownership of Europeans. That gray area means it’s not a proper infrastructure for a sovereign cloud according to VMware. “For VMware, regulatory control is an absolute requirement for sovereignty,” he says.
What’s VMware’s key asset in this regard? Hosken explains as follows: “The freedom and flexibility VMware gives to partners and customers is unique. We have more than 10,000 data centers worldwide with on-site partners.” He compares this to AWS, which has 32 regions. “With that number of regions, they can’t come close to offering a region in every country. They don’t have the diversity of partners that VMware can offer.”
Like Bartram, Hosken is also keen to look towards the future. The development of the sovereign cloud will hit hyperscalers in a big way within the next decade, he suspects. Given the continuous changes in regulations, he sees VMware as an attractive option that allows users to always meet compliance requirements. Elsewhere, the company touts how easy its offerings make it to move legacy workloads from on-prem and leverage a variety of cloud-native workloads.
How it should be done, according to VMware: Monaco Cloud
From our conversations with Bartram and Hosken, we’ve come to understand what a sovereign cloud is according to VMware. They’re also clear about VMware’s advantage in this realm: wide availability, flexibility and a multitude of partners across the globe. In addition, the company’s representatives specify in no uncertain terms that they doubt the credibility of the AWS sovereign cloud promise. So what does a good example of this look like?
Tip: Oracle expands OCI with sovereign cloud regions inside EU
Last month, VMware unveiled that the Principality of Monaco had set up a VMware Sovereign Cloud. Specifically, it’s managed by Monaco Cloud, which is majority owned by the Monegasque government and only features Monaco-based stakeholders. It is a VMware partner and was also present on the show floor to explain the benefits of a sovereign cloud. Thanks to guarantees that all cloud-based content is secure and beyond the reach of outside authorities, the government is able to fully utilize the digital infrastructure in question while storing and harnessing sensitive data. Essentially, it can write its own rules without outside interference. All public services should eventually be available digitally, in pursuit of executing on the microstate’s “Extended Monaco” program. Interestingly, a backup of government data and services will soon be placed in Luxembourg, which will still be under the rule of Monaco’s “E-embassy.”
In short, Monaco has built a digital autonomy that’s the envy of others. However, the state has a few key benefits: firstly, its 40,000 inhabitants provide a manageable scale and secondly, it’s outside the European Union. Elsewhere, it is thus a more difficult proposition to build a similar success story on a national scale. Perhaps that’s why Germany is settling for what VMware calls a “watered-down” sovereign cloud from AWS, because the alternative without the hyperscalers is too difficult to implement. Time will tell which way regulation will go within the the EU and beyond. Either way, VMware is confident it knows what the best practices are.
2 days ago
