Using the public cloud inherently requires a degree of trust in the chosen provider. Critical industries and government agencies are often reaching for the most secure option at face value: a sovereign cloud. The big problem is that nobody has clearly defined it just yet, despite the concept being years old at this point. Johan David Michels, a researcher at Queen Mary University of London, wants these vaguaries to disappear.
European cloud providers are in a strong position when it comes to sovereign cloud promises. They manage the servers on their own continent, oftentimes have no direct relations with customers in the U.S. at all and don’t ever send metadata beyond European borders. AWS, Microsoft, Google and Oracle also each offer sovereign cloud packages. The exact promises vary among them, but in a broad sense, these promises revolve around control over data residency and high-quality encryptions. As U.S. companies, they remain irrevocably bound by U.S. regulations. As a result, they will always be obliged to surrender customer data to the U.S. government if asked to do so, no matter where the customer is from.
From marketing term to solid foundation
In practice, honoring such a demand from Washington is made difficult by design. After all, there are encryptions that rely on Bring Your Own Key (BYOK) and contractual stipulations promising that any U.S. demand for data collection is denied or at least heavily resisted in court. Michels, who conducted his Sovereign Cloud for Europe research on behalf of Broadcom, questions the validity of these contracts. For example, U.S. tech companies are not allowed to tell their European customers at all whether they had to cooperate with U.S. intelligence agencies. For all we know, they’ve been complying with a heap of data requests for years. In addition, metadata still exits Europe via the sea cables in the Atlantic to reach American data centers.
One issue is that this does not yet mean that the sovereign nature of these cloud services can truly be questioned fully. This is because there is no precise definition for a sovereign cloud at all. Therefore, Michels suggests a Sovereign Cloud Code of Conduct, within which clear legal standards define what does and does not count as sovereign. The researcher acknowledges that its creation would involve a difficult process, but should be worth the effort to create a legal basis for sovereign clouds.
Why now?
One might wonder what the problem is. If your organization is convinced that their data is safe in a sovereign cloud, it doesn’t actually matter who made the promise – they’ve done what they needed to do to sell their product. Michels thus distinguishes the current, differing meaning of the term for customers, European policymakers and cloud providers. For the first group, sovereignty is about control over one’s own data, which also includes access management, transparency and a reduced vendor lock-in, Michels says. Policymakers actually intend to tackle an entirely different challenge, which is the gigantic dependence on U.S. tech companies among European organizations. This does contrast with the desire from customers to choose the best software irrespective of it having been made in the U.S., Peru or France. For cloud providers, sovereignty simply offers an opportunity to differentiate from one another – which is particularly desirable for European cloud players.
But does a new framework offer any kind of solution? And isn’t the larger movement toward more sovereignty already a net positive, assuming it remains a long-term trend? $260 billion in predicted revenue from sovereign clouds by 2027 (a figure cited by Broadcom), fueled primarily by Europe, already shows a demand without needing a thorough legal basis for sovereignty. While the current situation may be the judicial equivalent of quicksand, its relevance to customers would only ever become evident if they were made to shift away from their cloud platform of choice.
A clear choice
When it comes to AI governance, there’s already worldwide criticism of the European Union’s restrictive stance. Complaints are coming from all sides. U.S. companies complain that they cannot roll out their services day-and-date within Europe without all sorts of privacy-focused adjustments (examples include Meta AI and Google Gemini, or Bard as it was first called). European end users and AI companies are dissatisfied with said delayed or restricted access and themselves may need to meet all sorts of compliance requirements before bringing their own competing solution to market. All this to ensure that AI operates on our standards and values. For now, it is uncertain whether this principled stance harms Europe or benefits it. But if one thing is clear, it is that additional laws will lead to ever-increasing resistance from the industry.
Apart from the clarity suggested by Michels, there’s a need to define a proper philosophy around sovereignty. Would a new Code of Conduct revolve about continuing to shift along a spectrum, or the movement from vague cloud use to one incorporating control and transparency? Or is it more important to say a clear “no” to sharing any more sensitive European data with American companies? And is that “no” coming only from critical sectors and government, or do we as Europeans want to gradually become autonomous, with our own cloud services, and essentially turn our backs on by far the largest and most mature cloud infrastructures on the planet? Surely, the latter would be debilitating.
We cannot answer those questions on behalf of the entire continent. But what the huge demand for sovereignty shows is that organizations are feeling the need to pick the most secure, workable option. Currently, that tends to rest on trusting the promises of U.S. hyperscalers. There is absolutely no harm in making demands on those promises, as Michels suggests we do.
Via-via
For those wondering why Broadcom is interested in formulating an answer here: its own VMware has a big role to play in this field. This is most clearly articulated by Martin Hosken, Field CTO, Cloud Partners at Broadcom. “The push for sovereign cloud provides the perfect storm for Cloud Service Providers (CSPs) in Europe to thrive.” He’s of course referring to CSPs such as VMware by Broadcom, who are making more precise promises with their own sovereign cloud services and providing ever more control for organizations themselves, even while residing in the public cloud. Thus, they aim to guarantee an easy transition to any other major cloud service.
Hosken continues: “[CSPs] need to position themselves as trusted partners for those organizations that are on their way to the sovereign cloud and help them meet the challenges of this transition. This includes helping them assess and classify their data based on sensitivity and compliance needs, especially for personal data under GDPR. CSPs can also help customers navigate the complex mix of cloud services, enable a single operating model and maximize interoperability between providers to avoid isolated workloads.”
This sounds like the most sensible approach for critical sectors, though alternatives do exist from VMware by Broadcom, of course. The importance of this example is that it reflects a proactive attitude from end users, in which cloud providers cannot put organizations in a lock-in scenario. Those who forego such a stance could suddenly find themselves in legal jeopardy in the event of a stringent Sovereign Cloud Code of Conduct, should it ever appear.
Also read: AWS means serious business with European Sovereign Cloud: how does it stack up?