Laurent Allard, Head of Sovereign Cloud, VMware EMEA, explains why there is no data sovereignty without cloud sovereignty.
The challenges of managing and storing sensitive and critical data are growing. The volume of highly sensitive data now hosted in the cloud is on an upward trajectory. Sixty four percent of EMEA organisations have actually increased their volume of sensitive data, and 63% have already stored confidential and secret data in the public cloud, according to IDC.
Managing this exposure of highly sensitive data, which could be financial, personal, national or critical information, is driving the need for data sovereignty – where this intelligence is bound by the privacy laws and governance structures within a nation, industry sector or organisation.
This exposure of such data in the public cloud should be influencing every organisation’s future cloud strategy and the imperative of sovereign clouds.
Yet challenges exist. To date, there is no standard definition to assess a
cloud as ‘sovereign cloud’, and not even common terminology ‘sovereign cloud vs. trusted cloud’. But what is crystal clear is the set of key requirements associated with confidential and sensitive data, such as data and metadata control, residency and exposure to external jurisdiction. Agreements on data sovereignty must come first, so organisations understand how to keep control of their data and to choose the appropriate platform to host their data and innovate in a secured way.
However, this is not always understood outside of technical teams. If your organisation’s management has its head in the clouds when it comes to data sovereignty, here are five key messages to help you demonstrate the value of a secure data strategy, and explain why there is no data sovereignty without cloud sovereignty:
1) Data classification determines choice of cloud
The days of customer information sitting in a single, monolithic database are well and truly dead. It is now essential for organisations to manage their data and applications in a multi-cloud environment, with the application, workload and data type determining the cloud used. Our research shows that nearly half (47%) of organisations understand that using multiple clouds will help them address security and privacy concerns, while better enabling them to monetise their data. And ultimately, organisations that fail to embrace this will inevitably get left behind.
So, while it is now common for organisations to use several clouds to secure and manage their data and applications, with the drive for sovereignty, we’re seeing a review of usage to allow a mix of clouds with different levels of control and certification. This boils down to the type of data, for example its volume, sensitivity, criticality and exploitability; the data owner’s priorities in regard to it, such as its privacy or economic advantage; and regulations.
Data sovereignty therefore needs to start with the classification of data, to ensure specific assurances and capabilities on data residency, data protection, interoperability and portability. Organisations can then choose the best clouds for the job, from sovereign private clouds to sovereign public clouds to trusted public clouds – ensuring they comply with sovereignty and jurisdictional rules.
Until now much of this has been conducted with the confidence that cloud providers are upholding their promises of data sovereignty. Unfortunately, recent closer scrutiny by regulators suggests that not all providers are equal, with some being very publicly examined to ensure they’re not missing the mark. One provider is under investigation in Germany to ensure it’s meeting GDPR compliance, while another has just launched a new digital sovereignty pledge, leaving some customers questioning their track record up until now.
It’s therefore also essential that decision makers aren’t tripping themselves up by automatically assuming all global hyperscale cloud providers will support data sovereignty because the portfolio, data and applications will be limited to only what can be run in a region. The physical location of data isn’t enough to give the sovereignty stamp of approval. Almost all require jurisdictional control, which cannot be assumed to be met with a data resident cloud, particularly for U.S. or global cloud providers subject to the CLOUD Act and FISA ruling. The flow and management of the data is also crucially important, as are the consumer rights within the country you’re collecting that data from. It can be an incredibly confusing web to unweave and make sense of.
2) Secure data drives success
Data is undoubtably the driver of success and decision makers know this. A shining example is McDonald’s, where the company successfully used visitor data to assess the effectiveness of its iconic Piccadilly Circus billboards, and redirected marketing spend towards smaller, personalised adverts instead. This increased footfall to desired locations, and ultimately, drove up sales.
Research we conducted earlier this year shows that by 2024, 95% of organisations across EMEA will be looking to their data as a key revenue driver, with 46% recognising it as a significant source of revenue – up from 29% today. And with the data monetisation market already at $2.9 billion, and another $4+ billion to be captured by 2027, it’s no wonder that more business leaders want to tap in. According to the European Commission, the data economy in Europe is expected to grow GDP from 2.6% to 4.2% by 2025.
At the same time, companies are highly aware that their data strategies must be handled with care to ensure customer privacy. Concerns amongst consumers are increasing and getting louder in this growing discussion. There are plenty of fresh rules and regulations on the way, like DORA, which will help harmonise hard-to-reconcile regulations and reporting standards in banking across EMEA. Even with simplification like this on the horizon, meeting these regulations can be a complex journey for companies that operate across international borders.
3) Local laws don’t need to be a minefield
Whilst the value of data is clear to see, there are often understandable reservations about regulations. Data sovereignty laws differ from one country to the next, with over 100 countries having their own standards on how data should be treated and stored within their sovereign borders. They also rarely stand still and change constantly. Organisations that fall foul of these can end up paying fines of hundreds of millions of dollars and be seen as unreliable and untrustworthy in the eyes of the consumer. Meta, for instance, is currently facing a €390 million fine from The Irish Data Protection Commission, after its Facebook and Instagram privacy breaches.
Most people (87%) are willing to walk away from a company if some kind of data breach happens. Their trust is just as valuable as hard currency. So, how can organisations perform this delicate dance in a way that allows them to mine customer data without betraying their customers’ trust? The answer lies in the ability to share, monetise and protect data that resides across multiple clouds.
4) Forge relationships with a network
Those looking to run without being tripped up should form relationships with one of the newly formed global networks of sovereign cloud providers who have specifically joined forces to ensure that data is protected, compliant and resident within a national territory. Working with an entity that has both national and local partners guarantees an organisation will be meeting niche requirements across the board. It also gives decision makers the ability to choose the right cloud for a specific data classification, with better governance around data mobility. By definition, these specialised clouds are operated by a sovereign entity, so they’re exempt from foreign jurisdictional control. With a sovereign cloud, data is managed by national citizens with the relevant national security clearances.
As more organisations focus on monetising their data to capture revenue, sovereign clouds are becoming an integral part of a “cloud-smart” strategy, enabling organisations to run their business operations across multiple clouds to better serve their end customers and to gain strategic advantage. If management doesn’t have a clue about data sovereignty, make it your new year’s resolution to ensure these five key messages are understood by all. In a world where trust is everything, both between B2C and B2B, don’t let your data strategy get tripped up by misplaced assumptions about data sovereignty.
5) Data sovereignty drives innovation
Ultimately, the reason why sovereignty is so important, is that it enables organisations to be innovative with their data and deliver new digital services. Historically, there has been a distinct lack of trust in the cloud, leading to a lack of innovation. Some of the biggest and most important creators of data, such as finance and healthcare, continue to avoid use of public cloud because of privacy fears. This significantly handicaps their ability to innovate, and means they are losing out on other benefits of cloud technology, such as cost-reduction, agility and scalability. It is therefore paramount that moving forward we avoid the mistakes of the past and ensure sovereign data from the start. Today, sovereign cloud is more and more perceived as a key enabler for a ‘data-driven’ innovation.