COVER STORY: The market (and other) forces behind the rise of sovereign cloud

Macroeconomic factors such as geopolitical instability, the growing sophistication and severity of cybercrime and a shifting global regulatory landscape has given rise to heightened demand for data sovereignty and sovereign cloud infrastructure.

This week’s Digital Nation Australia documentary unpacks the use cases and trends surrounding sovereign cloud, and more specifically, the nuanced differences between data sovereignty and data residency.

According to Robert Potter, the co-founder and co-CEO of Internet 2.0, "If you solve purely for market efficiency, as the global economy has over the past 30 years, you do not create a resilient supply chain. You end up in situations where your gas for most of Europe comes from Russia, where all of our semiconductors come from Taiwan.

"Those inefficiencies and bottlenecks are not resilient in combat."

Potter, regarded as one of the top cybersecurity executives in the country, and who holds roles with the United States and Canadian governments as an expert on North Korean cyber operations said we are now living with the consequences of decades worth of supply chain hyper-optimisation.

"We are seeing a dramatic increase in inflation globally, driven by the geopolitical shakedown of our global supply chain, and that realignment is shattering the globalised assumption that efficiency at market and cost is the only variable which matters when building a global economy."

And, he said, we are also seeing the Balkanisation of parts of the internet. "[This] has already occurred, from North Korea, China, Russia, and Iran. We're seeing that they are not comfortable sharing a common, free and open internet with the rest of the world.

"But they're also more than happy to interfere in one that they're connected to. They're not prepared to stay behind their firewalls in order to build their sovereign capability. Every country, no matter how hermit-kingdom it is, has always felt the need to come over their wall and interfere in our politics."

Potter said if we could sustain a global economy purely based on the reduction of cost, we would raise more people out of poverty than we're currently doing. "It would be a net benefit for the world for us to do that but at present, the flow of data and the flow of capital are no longer as open as they used to be."

That is why countries need to look to their own resources to build resilient supply chains, he said, "It is why companies like AU Cloud and Vault and others like them, are working to build these secure supply chains for Australia."

Risk management

Nigel Phair, non-executive director on multiple boards, enterprise director at the UNSW Institute for Cyber Security and formerly superintendent at the Australian Federal Police told Digital Nation Australia that the key driver of sovereign cloud is risk management.

“The whole business case surrounding sovereign cloud is that this information is so sensitive, is so serious that it should be domiciled, say, in our perspective, in the Australian environment,” he said.

Governments, particularly at a national level, as well as highly regulated organisations such as banks, telcos and critical infrastructure owners and operators are largely driving demand for sovereign cloud services, to ensure their data remains within the control of the Australian legal jurisdiction.

Data residency vs data sovereignty

While data sovereignty is often referred to as data hosted in data centres residing in Australia, the location of the data is only one piece of the puzzle.

According to Leanne Francis, director, cloud provider partner program at VMware ANZ, “Data sovereignty and residency are often combined into a single statement and are regularly confused.

“Ensuring data sits within a geographical location (for example, to take advantage of a tax regime) is a matter of residency, while the idea that data is subject to the exclusive legal protections and jurisdiction of a nation is a matter of data sovereignty,” said Francis.

Guy Danskine, managing director of data centre operator Equinix Australia said that data residency refers to the physical location where the data resides, while data sovereignty determines the ownership and control of the data.

“What we've really seen there is governments taking a much more active interest in their residents’ data and citizens’ data, who controls it, who manages it, and who can ultimately ship it around the world,” said Danskine.

Political motivations

According to Andrew White, research vice president, distinguished analyst at Gartner, the motivations for data sovereignty vary around the world based on the geopolitics at play.

“Given that most organisations are developing a data strategy of some kind or an AI strategy, or a digital strategy, we should assume that sovereign states are doing the same thing,” said White.

There are a number of regions and sovereign states developing various data and cloud strategies with different objectives, he said.

“China's motivation for a sovereign cloud is to protect its state. They say protect their citizens, but it's a different model to Australia or the EU or the UK or the US,” said White.

“[China does not] want a public cloud infrastructure powered by anybody other than Chinese businesses, that's their stated objective. The EU is exactly the same. They don't want Amazon or Google making money on stuff going on in the EU. They want European companies to be successful.”

White said that Europe’s objective is to build an EU cloud to serve the needs of EU citizens and businesses.

Regulations

Different nation-states and regions have developed legislation to give themselves oversight of the data within their jurisdiction, such as the EU’s General Data Protection Regulation (GDPR) and the US Cloud Act and the Patriot Act said Phil Dawson, managing director at AUCloud.

“In the EU’s case, if you have data on any EU citizen anywhere in the world, they're giving themselves the right to come after you if there's a compromise of that data to the extent of four percent of your global revenues. If you are a subsidiary of a US company, then the US government has given itself the right to demand of that data should they want,” he said.

While Dawson believes that a sovereign cloud protects an organisation from a foreign jurisdiction such as the US demanding access to its data, Phair asserts that this is simply a marketing tactic used to scare organisations into purchasing sovereign cloud solutions.

“The reality is if the US want to get access to your information, legitimate access, lawfully, and it's not hosted in the US, they're just going do a mutual legal assistance treaty request to Australia, for example, and get access to that data anyway,” said Phair.

“It's a bit of a misnomer when we say, ‘Oh, you shouldn't hold data in the US because of the Patriot Act, they could get access to it.’ They can lawfully through respective Attorney Generals get access to that information anyway.”

Local regulations are also driving data sovereignty compliance in Australia according to VMware’s Francis.

“In Australia, the past year has seen the introduction of the Australian Government’s Certified Sovereign Data Centre program and the Critical Infrastructure Act which give the Federal Government the power to intervene in the security response of private organisations,” she said.

“When you add the continual reforms to the Privacy Act and the ACCC’s proposal to deal with the dominance of large digital platforms, we can clearly see the need for sovereign cloud from a policy perspective.”

Metadata

Data sovereignty does not only refer to the core data set but also to the metadata and support information that defines and describes that data.

Dawson highlights the importance of metadata storage when it comes to data residency and sovereignty. “It's not just about customer data or something in a database that we'd all be familiar with, but it's about the account data, about the customer, it's about the support data, the monitoring data that we're all monitoring our systems, and also about the metadata that flows to enable operational analytics to be undertaken, to optimise service availability for those platforms that we run,” said Dawson.

“Is all the data resident would be my question. If it is, that's fantastic. And then I'll be asking who's actually got legal jurisdiction over that data?”

Phair points out that data centres and public cloud providers claiming to provide data sovereignty might not be protecting the metadata.

“Data centres now say ‘Your cloud is hosted in Australia’. The management of that might not actually be in Australia. The metadata collection, the encryption tools and techniques might be housed offshore. And it's that fear, uncertainty, and doubt that sown into organisations, which tries to drive them towards pure play onshoring domicile of your customer personally identifying information, intellectual property, whatever it might be data,” said Phair.

While public cloud provider AWS was unable to provide an interview or written responses to Digital Nation Australia’s specific questions, a spokesperson provided a statement outlining the company’s approach to data sovereignty.

According to an AWS spokesperson, “We are committed to delivering solutions that meet our customers' data control, data protection, and compliance requirements in response to an evolving regulatory landscape. We are focused on developing solutions that truly meet both the needs of governments and the demands of our customers' businesses.

“We will continue to build data control, security, and privacy capabilities and work with our partners on solutions that allow customers to meet sovereignty requirements with the full benefits they get from using the most capable, innovative, and reliable cloud.”

Does sovereign cloud matter?

While the trends indicate that foreign government access to citizen data is a growing concern, alongside increases in the volume and sophistication of cyber threats, cyber espionage and an increased focus on data privacy protections, UNSW’s Phair remains unconvinced of the benefits of sovereign cloud.

“I think there's a limited benefit, to be honest. If you choose one of the big three, your Azure, Google and AWS, they will give you the tools and techniques to protect that data. They will give you encryption tools, which you can host in that instance or another instance, or locally the keys. They'll give you a wide range of possibilities, including storing it in Australia, said Phair.

“I think the use case for sovereign cloud is as time goes on, is actually diminishing and really we're just preying on the insecurities of Australian organisations to the, ‘You must store it here’.”

Equinix’s Danskine, however, believes that regulatory oversight and scrutiny around data privacy is only set to continue, giving rise to a greater need for data sovereignty.

“Data sovereignty is important, because by country or by territory you’re really saying ‘Here are the controls and mechanisms in place, I want certain data to be managed’,” said Danskine.

“I would note that the Critical Infrastructure Bill has a second review next year, as does the Data Privacy Bill that’s about to be rushed through the Federal Parliament for very current reasons. And so, all of those will have underpinning it, the need for customer and citizen data, how do organisations treat that information? How do they store it? How do they secure it? How do they transmit it? Who to and when?

“It's already an incredibly pressing issue, and that's only going to become more so as things continue to become more global and more complicated in nature.”