Skip to Content

Governments and the public sector lead the cloud sovereignty debate

Stefan Zosel
11 Jul 2022

As volumes of cross-border data proliferate on cloud platforms, how are governments and public sector organizations both regulating and planning for their own use of sovereign clouds?

With worldwide spending on cloud services expected to cross the $1t threshold by 2024[1], cloud sovereignty is increasingly part of the strategic mix when defining cloud journeys. Who — or perhaps more pertinently which organization — has control over the data held in public clouds? And where does responsibility lie when there are operational or technology issues in the face of political or geographical unrest?

In its report The Journey to Cloud Sovereignty the Capgemini Research Institute evaluates evolving trends, awareness, and readiness of organizations for cloud sovereignty. So, first let me clarify that a sovereign cloud is a cloud computing environment that is owned, deployed, governed, and managed locally or regionally within a single nation or jurisdiction.

The report draws on the findings of a survey of senior executives working in different functions from 1,000 organizations across multiple sectors, including 200 in government and the public sector. What’s clear is that governments are leading the charge to cloud sovereignty, with a range of regulatory developments shaping the way forward.

Further, as well as shaping regulations pertaining to cloud use, government and public sector bodies are among the leaders in pursuing (or considering) a sovereign cloud in their organizations. For example, 76% of government/public sector respondents to the survey believe a sovereign cloud will be adopted in their organization to ensure compliance with the regulations and standards of the nation/state/local government, versus 71% across all-sector respondents.

Mitigating risks

Why the need for a sovereign cloud? The key idea is to respond to each organization’s desire for control, choice, and autonomy as cloud adoption accelerates globally. In some instances, even the cloud provider is obligated to be of local origin to mitigate certain risks, among which, according to a recent European Commission communication, are threats to cyber security, supply vulnerabilities, and unlawful access to data by other countries or suppliers. Indeed, security or resilience-related concerns with public cloud providers were cited by 74% of public sector participants, marginally higher than the 73% all sector average .

Similarly, the threat posed by potential exposure to extra-territorial laws and/or the possibility of data access by foreign governments owing to a vendor’s location of origin was cited as a concern by 68% of public sector respondents. So, it is no surprise that 69% of government/public sector survey respondents believe a sovereign cloud will be adopted in their organization to ensure immunity from extra-territorial laws and regimes.

We can see provisions to mitigate such risks already in existence in some countries. In the US, for example, the 2018 CLOUD Act gave law-enforcement authorities access to data belonging to US-based cloud service providers, and this extends to non-US firms that are subsidiaries of a US cloud or IT service provider, even if headquartered outside the US.

Similarly, the threat posed by potential exposure to extra-territorial laws and/or the possibility of data access by foreign governments owing to a vendor’s location of origin was cited as a concern by 68% of public sector respondents. So, it is no surprise that 69% of government/public sector survey respondents believe a sovereign cloud will be adopted in their organization to ensure immunity from extra-territorial laws and regimes.

We can see provisions to mitigate such risks already in existence in some countries. In the US, for example, the 2018 CLOUD Act gave law-enforcement authorities access to data belonging to US-based cloud service providers, and this extends to non-US firms that are subsidiaries of a US cloud or IT service provider, even if headquartered outside the US.

Strategies being developed

Although cloud sovereignty is being embedded as part of overall cloud strategies across all sectors, many organizations surveyed for the report feel some uncertainty about the next steps. For example, 28% of organizations say  they need more clarity on this topic to form a cloud-sovereignty strategy, and only 3% of public sector organizations say they have a well-defined cloud sovereignty approach.

Even the definition of cloud sovereignty is subject to different interpretations. Nearly 40% of  government and public sector organizations see it as a combination of public and private cloud (including vendors of non-local origin), and data localization within a country or region’s borders at locally–approved data centers, whereas 15% view it as the exclusive use of cloud providers based in the same legal jurisdiction and storing data within a country or region’s borders. This latter model might well be hindered by the thinking on the part of 59% of  government/public sector respondents who believe that current local cloud solutions have performance-related issues compared to existing global solutions.

Recommendations for untapping benefits

What’s in it for my organization? It’s a question I’m often asked, and one that the survey also investigated.  68% of government/public sector organizations say they believe it provides a trusted and safe cloud environment for data, while 61% cite the ease of sharing data with trusted ecosystem partners as a benefit. An example of such an ecosystem is GAIA-X, the public/private consortium initiative established in 2020 comprising cloud suppliers, businesses, and the public sector to create a unified ecosystem of cloud and data infrastructure and services for the European Union.

So how can governments and the public sector accelerate their path to achieving benefits like these? We recommend building the ‘move-to-sovereign’ strategy on the following four pillars:

  • Define sovereignty objectives and compliance requirements:
    • identify your sovereignty objectives based on the three elements of cloud sovereignty (data sovereignty, operational sovereignty, and technical sovereignty)
    • understand the rules and regulations concerning sovereignty and the real facts behind them — the privacy and protection of different types of data will demand varied levels of security in the cloud depending on a range of factors, such as approaches to risk, innovation ecosystems, geo-political affiliations, digital readiness to share data, and more
    • track key developments in the cloud and data sovereignty space; continuously assess risk exposure; and set up a compliance organization.
  • Assess cloud providers through a sovereignty lens, embracing data sovereignty (for data residency, controls, transparency, storage, back-ups, etc.), operational sovereignty (for security, compliance, and operational resilience), and technical sovereignty (to assess interoperability and migration features and clear exit policy/processes.)
  • Align for a flexible cloud architecture. Identify your sensitive workloads and most viable use-cases — staying aware of the types of data that are hosted in the cloud and the importance of different data types for your organization, with some data points, such as citizen data, being highly sensitive. Consider end-to-end encryption, as well as key management solutions. At the same time, evaluate hybrid options, and prepare for a multi-cloud architecture by understanding the potential as well as the challenges it brings.
  • Develop the potential of sovereign cloud by exploring its value proposition in terms of trust, security, and collaboration through ecosystem participation. Within the “trusted cloud” environment, sovereign cloud can help in developing new solutions, especially in data-sensitive sectors like the public sector and healthcare. The French Government, for instance, is planning to digitize public-sector initiatives with citizens and institutions with its sovereign cloud infrastructures.

Accelerating cloud adoption

There is no doubt that cloud adoption has ramped up enormously over the past two years. The much-publicized work-from-home model has seen organizations relying on cloud services to support remote workforce collaboration, productivity, resilience, and more. This acceleration in cloud adoption has also revealed critical vulnerabilities and emphasized the importance of secure data storage and control. The solution? Cloud sovereignty as a means to maintaining physical and digital control over strategic assets, including data, algorithms, and critical software.

We are still at an early stage on the sovereign cloud journey, with many questions remaining, such as those concerning data localization, ownership, traceability, and access controls, along with the role of an open-source approach to enabling transparency. And whether a solution allows applications and data to be moved from one cloud-computing environment to another with minimal disruption. These questions — and many more — are gradually being answered and I am looking forward to the next stage of the journey.

Find out more

[1] IDC, “Cloud adoption and opportunities will continue to expand, leading to a $1 trillion market in 2024,” October 2020.

Author

Stefan Zosel

Capgemini Government Cloud Transformation Leader
“Sovereign cloud is a key driver for digitization in the public sector and unlocks new possibilities in data-driven government. It offers a way to combine European values and laws with cloud innovation, enabling governments to provide modern and digital services to citizens. As public agencies gather more and more data, the sovereign cloud is the place to build services on top of that data and integrate with Gaia-X services.”