Amazon CSO Stephen Schmidt: “Sovereign cloud is a marketing term more than anything else.”

AWS obviously saw the trend towards sovereign clouds coming. It claims to offer every opportunity to guarantee data sovereignty. AWS just doesn’t go along with the naming and hype surrounding it, according to the Chief Security Officer of all of Amazon (including AWS) in conversation with us during AWS re:Inforce.

TIP: If you want to know what security announcements AWS made during re:Inforce, you can find them listed in this article.

Lately there has been quite a bit of activity around the concept of sovereign cloud (regions). Recently there was a big announcement by Oracle on this point, but Microsoft and Google are also busy setting up these kinds of cloud environments. These sovereign cloud environments are aimed at guaranteeing data residency within a specific region. In our case, this is the EU, where the GDPR has been in force since 2018.

The idea behind the development of sovereign clouds or cloud regions is that data that needs to stay within Europe is guaranteed to stay there. It is a reaction to the developments surrounding, among others, the CLOUD Act in the US. This Act states that data stored abroad within the environments of American companies can, in principle, be retrieved and accessed by the government there.

Public cloud not always an option

The above is an important reason for organizations in the EU that handle sensitive or personal data to at least be careful with the public cloud. The major providers are all American, with the exception of Alibaba, which is Chinese. The latter party, of course, brings with it all sorts of other concerns, which we won’t go into here.

In any event, it is important for a certain group of organizations, for example in the public sector and health care, to have a 100 percent guarantee that no one from outside the EU can gain or demand access to their data. At the same time, these types of organizations can also benefit from a distributed infrastructure. That is, they can benefit from scaling down the traditional on-premises infrastructure and moving to a more modern environment.

In fact, to keep up with the times, they may have to make this transition, at least in part. Whether it’s performance, availability, scalability, availability of all kinds of useful services and features, cost transparency and perhaps in the long term significantly lower costs, there are plenty of reasons for these organizations to take a critical look at what is on-premises and what can be moved to the cloud. This is basically the development towards hybrid and multi-cloud. Here you combine private clouds (or own data centers) with public clouds.

Sovereign cloud makes it an option

All organizations have their own way of determining what can and cannot go to the public cloud. For some, latency will play an important role in keeping a specific database on-premises. For another, compliance with applicable laws and regulations will be a reason. For yet another, it may simply have to do with the fact that its private cloud hardware still has some years to go before it’s financially sensible to make the move. There are countless considerations that can be made in such a process.

The idea of the sovereign cloud specifically addresses organizations that are not allowed or unable to move to the cloud because of data residency issues. In other words, organizations that have strict guidelines and requirements regarding where data is stored and who can access it. These types of organizations are deprived of the added value that the public cloud can undeniably offer. Within a sovereign cloud, however, the large providers can offer all services, functions and products, but within the framework of the EU. In this way, in principle, even sectors with very strict rules and regulations can start using the public cloud.

Multiple approaches for sovereign clouds

As mentioned above, several public cloud providers are pushing sovereign clouds. It is interesting to see that there are multiple ways to offer sovereign clouds. Microsoft and Google seem to be looking mainly for cooperation with local, European parties. These are partnerships with existing parties in specific countries. In France, for example, Orange and Capgemini have jointly founded the cloud provider Bleu. This is basically an Azure cloud, but not owned by Microsoft. Google Cloud is doing something similar with T-Systems in Germany.

Oracle has decided that it prefers to control everything itself and offers its Sovereign Cloud Regions itself. These are, in its own words, completely separate logically and physically from the existing regions. They are also exclusively operated and maintained by EU residents.

How about the AWS sovereign cloud?

At first glance, AWS doesn’t seem to be hugely concerned about the trend around sovereign clouds. It doesn’t mention the concept of sovereign cloud at all, at least not that we know of. If you enter “aws sovereign cloud” into Google you don’t get very many relevant search results. One of the few concrete links between AWS and sovereign clouds is the announcement and now availability of Monaco Cloud, an AWS-based public cloud for and by Monegasques.

Does the apparent lack of focus on sovereign clouds mean that AWS does not consider this a relevant development? We put that question to Stephen Schmidt, the Chief Security Officer of all of Amazon (including AWS) and previously the CISO of AWS. We spoke to him during AWS re:Inforce, AWS’ event specifically focused on security.

Schmidt begins his answer by stating that he sees the term sovereign cloud primarily as a fad: “Sovereign cloud is more a marketing term than anything else.” He immediately follows this up with a more or less rhetorical question: “Why do you think we opened a data center in Dublin very early on?” This data center has been around since 2007, a year after Amazon S3 and EC2 became available. With this, Schmidt implies that Europe’s laws and regulations were already playing a role in AWS’ strategy at that time. “We saw the changes [in the area of data privacy, ed.] coming back then,” he indicates. The fact that this is not referred to by the term sovereign cloud at AWS does not change that.

“We solved it differently”

Schmidt also indicates that AWS solves the sovereignty issue differently than the other parties. “We have built the ability to create hard partitions into the architecture,” he states. Specifically, he refers to the Nitro hypervisor that AWS uses in its cloud environment. That is designed so that no AWS employee can access it from the outside. So even if the U.S. government were to demand data, AWS simply cannot access it. “We can radically separate things from each other,” summarizes Schmidt.

If you think about it, it is not strange that a provider like AWS solves it differently from other providers. In fact, it is also a fundamentally different kind of provider. Whereas AWS relies on IaaS and PaaS, the likes of Google, Microsoft and Oracle also have a significant SaaS portfolio running in their cloud environments. We estimate that a SaaS application is a lot harder to secure in the way that AWS does with their IaaS environment. Nevertheless, this is very important, because SaaS is an important entry point for these other players. That is why those players have been working for some time to make those platforms GDPR-compliant as well. We haven’t fully researched this for this article, but we know that Google and Oracle have developed and done the necessary work around their SaaS offerings to be able to offer Workspace and Fusion Cloud Apps respectively in a GDPR compliant manner.

In addition, AWS also works with partners when it comes to data residency. Even though it is technically not even possible to access customer data, from the GDPR perspective, sometimes more is needed to provide guarantees around data privacy. Hence, AWS has a partnership with T-Systems called Data Protection as a Managed Service. This service consists of four components.

  • T-Systems ensures that customers deploy the right tools to achieve the right of encryption. This includes things like data classification per customer.
  • T-Systems ensures that the data of customers and the access to that data can be fully determined by the customers.
  • Support is based in the European Economic Area. This is the EU plus Iceland, Norway and Liechtenstein. As a result, no one who is not a resident of this area will ever access the data.
  • A landing zone that is set up and managed by T-Systems according to AWS Security best practices.

All in all, it’s clear that while AWS hasn’t jumped on the marketing train around sovereign cloud like other providers have, that doesn’t mean they can’t offer it. In fact, if Schmidt is to be believed, this has been part of the vision at AWS since 2007. Together with partners, AWS can therefore also offer a public cloud that is suitable for organizations that have to comply with strict legislation and regulations.