Sovereign Cloud is no Guarantee
Can we really trust a sovereign cloud, what is it and do we need one?
What is a sovereign cloud?
Generally a sovereign cloud is said to be a type of cloud computing, that helps organisations comply with the laws of specific regions or countries.
Cloud sovereignty is usually determined by where data is stored and processed, or in some cases, where data was collected.
So we are really talking about data sovereignty.
Typically sovereign cloud is reserved for use by government departments and their sub-contractors, and such cloud services may be provided and managed by companies such as IBM, Oracle and Amazon Web Services (AWS).
Sovereign Cloud in the US
GovCloud in the United States is a good example. It is comprised of two physically and logically isolated U.S. sovereign regions, AWS GovCloud (US-East and US-West), operated by U.S. citizens on U.S. soil.
AWS GovCloud (US) is for verified U.S. government agencies and entities.
Nongovernment Sovereign Cloud
Depending on how you look at it, there are two different flavours of sovereign cloud, one for government and one for the rest of us.
Now sovereign cloud services are also being marketed to entities that are not government organisations, presumably to companies that may be concerned about their data finding its way to third countries.
By some providers saying that there is a cloud region in your jurisdiction, and that your data is stored only in those datacentres, the cloud provider is effectively putting a sovereign cloud sticker, on a plain old public cloud.
They might still be outsourcing management and support to cheaper offshore locations, or using employees and contractors that have not been properly background checked.
A bit like putting a turbo sticker on a standard Volkswagen Golf.
However major cloud players like Amazon Web Services and Oracle are going a bit further, and creating a sovereign cloud that has additional measures to guarantee data sovereignty.
Just today I saw a LinkedIn post about how a subsidiary of discount retailer Lidl called STACKIT, might soon be Europe’s biggest competitor to Amazon Web Services in Europe, and how that might finally give hope to those who are calling for a European sovereign cloud.
Lets wait and see what Lidl can do in Europe.
Swiss Sovereign Cloud
Switzerland is in Europe, but not in the EU, and it has its own version of privacy and data protection laws, roughly aligned with EU laws and regulations.
Earlier this year the Swiss authorities allocated 246 million CHF (Swiss Francs) in cloud contracts to Alibaba Cloud, Amazon Web Services, IBM, Microsoft, and Oracle, but interestingly, no Swiss provider.
The project will consist of three components: public cloud, public cloud on premise, and private cloud on premise.
The most sensitive Swiss government data will stay on the private cloud which will be in their own premises.
By the way, if you are an enterprise customer in Switzerland there are a few Swiss companies that market their own sovereign cloud services, including Hidora, Exoscale, ELCA Cloud Services and Infomaniak. They offer a subset of cloud technologies to whoever wants them, with data stored and processed in their datacentres that are physically located in Switzerland.
But don't expect every feature you find on AWS or Azure, you probably don't need them anyway.
EU Sovereign Cloud
Oracle already provide sovereign cloud services in the EU and Amazon Web Services plan to do so by the end of 2025.
Oracle say that their EU Sovereign Cloud is designed to enable commercial and public sector organisations to place sensitive data and applications in the cloud, in alignment with EU data privacy and sovereignty requirements.
So they are marketing it to both government and enterprise customers.
Amazon Web Services also plan to offer EU sovereign cloud services, to public sector organisations and customers in highly regulated industries.
To assure independent operation of the AWS European sovereign cloud, only personnel who are EU residents, located in the EU, will have control of day-to-day operations, including access to data centres, technical support, and customer service.
Once again, AWS is marketing their sovereign cloud services to both government and enterprise customers in the EU.
Can You Trust Sovereign Cloud
To answer that one you have to consider two things, the law in your jurisdiction (and in others), and the ability to protect your data using technical measures like encryption.
But let’s start with sovereignty.
According to Wikipedia, in any state, sovereignty is assigned to the person, body or institution that has the ultimate authority over other people and to change existing laws.
Lets look at the legality of cloud providers sharing your data.
Data Sharing and the Law
EU law can affect how your data is shared because ultimate authority over EU sovereign data, is assigned to the European Commission, which is not directly accountable to European voters, by the way.
In 2023, the European Commission adopted its EU-U.S. Data Privacy Framework which allows EU data to be transferred to organisations in third countries including U.S. intelligence agencies.
And the United States 2018 CLOUD Act provides a mechanism for United States law enforcement to request data held by telecommunications service providers, including public cloud providers including those providing cloud services in the EU.
The question is, can you trust a sovereign cloud provider to not share your data outside of that cloud without your knowledge or permission?
Not always.
If a foreign government wants data from your an EU sovereign cloud, it will be fairly easy for a cloud provider to hand over your data, within the law.
However it's reassuring that Amazon says that they have a history of challenging government requests for customer information that they believe are overboard or otherwise inappropriate.
So just because a cloud infrastructure is located in your country is no guarantee that the cloud provider wont grant access to your data to a third party.
They can be compelled to do so to be compliant with the law, or by a court order.
Encryption is no Silver Bullet
So from the legal point of view, there a risk that company or personal data might be handed over to a third country by the sovereign cloud provider.
Maybe we shouldn't worry about that because Amazon say that say that customers can use third-party encryption solutions when using AWS services, since encrypted content is useless without the applicable decryption keys.
Encryption helps but its not a silver bullet either.
It's better if you manage your own encryption keys independently from the cloud, and Swiss encryption companies like DuoKey and Securosys provide key management solutions that can solve that problem for you.
But what cloud providers don’t say is that even the strongest encryption will likely be broken soon by quantum computing, if it has not already been done.
And they don’t mention how encrypted data can be harvested in other ways, like lawful intercept, compromised software libraries, hidden cloud instance endpoint agents, Intel & AMD processor vulnerabilities, compromised systems, compromised employees, and weak encryption methods.
Lawful Intercept
Almost all countries have lawful interception capability requirements, that is to say that providers must be able to provide access to live voice and data.
Governments require service providers to install a legal black box in their networks, which allow them to intercept in real-time; phone calls, SMS messages, email, file transfers and instant messages.
And it may surprise you that your highly secure SSL connection to the cloud (or your bank) can be simply intercepted by tricking you into to installing a root certificate on your browser.
So perhaps organisations need to think more about their data sovereignty, and individuals about theirs too.
So, what’s the solution?
Private cloud
True private cloud costs loadsamoney, so can we rely on something in between.
Yes, a cloud solution somewhere between public cloud and private cloud is a good compromise for enterprise and even individuals. For example dedicated hardware in a local public cloud, where you run your own cloud software, and keep encryption keys independently is one option.
Organisations can mitigate the risk of a third party gaining access to their data by using trusted open-source cloud software like NextCloud, OpenStack and Kubernetes, running on infrastructure managed by trusted employees and sub-contractors, that are only accountable to the organisation.
Where possible, organisations concerned about data sovereignty should think twice about using a multi-national, and if possible co-locate their own hardware, with smaller local cloud providers whose headquarters and datacentres are physically in the same jurisdiction.
Data Sovereignty for Individuals
Whether you realise it or not, your government has sovereignty over your data as long as they have the means to access it.
That could be by buying it from Apple, Google or Meta, or by capturing it from you while you are your browsing the web.
If you value your privacy and want to reduce the amount of personal data you share with third parties, there are plenty of free tools like Brave, Telegram, Quad9, Proton and SwissCows, that individuals can use to reduce the risk of their data being harvested without their knowledge.
But a little technical knowledge is needed.
Or with a little help, these tools can be done for you.
Subscribe to the newsletter if you want articles like this sent to your inbox.