There are an increasing number of cloud ‘models,’ the most common of which are:
- Private cloud – resources are dedicated to a single organisation and not shared with other users
- Public cloud – offered by third-party providers over the public internet, accessible to anyone who wants to use them
- Multi-cloud involves using multiple public cloud providers or a combination of public and private clouds
- Hybrid cloud is a mix of public and private clouds (usually an organisation’s own infrastructure), allowing organisations to use the best of both worlds by integrating on-premises infrastructure with public cloud resources.
So, what is sovereign cloud? A sovereign cloud is a cloud computing architecture that is designed and built to provide data access in compliance with local laws and regulations. It ensures that all data, including metadata, remains on sovereign territory and protects against foreign access to data and therefore under which jurisdiction. The objective of the sovereign cloud is to provide a secure and reliable computing infrastructure that can support critical services and protect sensitive data from unauthorised access.
It is a common to associate sovereign and private cloud, but whilst a sovereign public cloud may seem like an oxymoron, it is possible to have a public cloud that is operated by a government or a government-approved entity. Examples of this include the UK Ministry of Defence “MOD Cloud” and the US government’s FedRAMP programme.
Although not unique to Sovereign cloud, features such as data encryption, access controls, compliance audits, physical security, monitoring and reporting to enhance the security and privacy of the hosted data and services, are designed and operated to comply with UK data protection laws and regulations, with private cloud offering more specific configuration to organisational needs rather than the ‘one size fits all’ services of hyper-scalers. Whilst there is much rhetoric about which is more secure, if the environment is accessible over the Internet there is little material difference in security from the cloud model itself; the benefits of sovereign cloud remove the complexities of multiple jurisdictions, and which security clearances or vetting of staff is appropriate and necessary; thereby simplifying compliance.
Relevance of Sovereign Cloud to the UK?
There is no definitive answer to what type of data must remain sovereign to the UK, as distinct types of data may be subject to different legal and regulatory requirements, depending on the context and purpose of their collection, processing, and transfer. However, some broad categories of data that may have data sovereignty implications for the UK are identified in the National Data Strategy:
- Personal data: This is any information that relates to an identified or identifiable individual, such as name, address, email, phone number, health records, financial details, etc. The UK has adopted the EU General Data Protection Regulation (GDPR) as part of its domestic law under the Data Protection Act 2018. GDPR sets out the principles and obligations for the processing of personal data in the UK, the rights of data subjects, and regulates the transfer of personal data outside the UK .
- Public sector data: This is any information that is held by or on behalf of a public authority, such as government departments, Police Forces and other Law Enforcement bodies, local councils, NHS trusts and other Health and Social Care providers, etc. The UK has various laws and policies that govern the use and sharing of public sector data which aim to balance the benefits of making public sector data available and accessible for innovation, research, and service improvement, with the risks of compromising security, privacy, and public trust. Examples of Public Sector data that commonly have additional processing considerations are clinical data, taxation data and data used for law enforcement purposes.
- Sensitive data: This is any information that may pose a risk to national security, public safety, economic interests, or international relations if disclosed or compromised. Examples of sensitive data include military secrets, intelligence reports, diplomatic communications, critical infrastructure data, etc. The UK has various laws and policies that protect sensitive data from unauthorized access, use or transfer, such as the Official Secrets Act 1989, the Security Service Act 1989, the Intelligence Services Act 1994, the Investigatory Powers Act 2016, etc. These laws and policies also impose obligations on individuals and organisations that handle sensitive data to comply with security standards and procedures.
These are some examples of data types that may have data sovereignty implications for the UK. However, this is not an exhaustive list, and there may be other types of data that are subject to specific legal or regulatory requirements depending on the context and purpose of their collection, processing, and transfer.
In today’s digital age, awareness of data sovereignty and security are critical concerns for the many UK businesses and organisations store and process sensitive, personal, and public sector data. Good cyber security and compliance is no longer measured by an annual security test and needs to be embodied in business practices to be effective against cyber threats and other risks. Sovereign cloud does not itself address these demands, but where UK organisations need such levels of assurance, having a clear understanding of where their data is stored, processed and under which laws and jurisdictions these services are provided, is a significant benefit.
What Are the Benefits of Sovereign Cloud?
As well as considering where your data is, it is equally important to be able to distinguish the sensitivity of datasets before being able to determine the appropriate protection and proportionate controls.
A sovereign cloud can provide several benefits for organisations that need to store and process sensitive data and applications in a secure and compliant manner:
- Data sovereignty: A sovereign cloud can give organizations more control and ownership over their data, as they can decide where it is stored, how it is processed, and who can access it. A sovereign cloud can also protect data from foreign surveillance or interference, as it can limit the exposure to laws which may grant access to data stored in foreign clouds by their respective authorities.
- Compliance with regulatory requirements: A UK sovereign cloud can help organisations comply with the UK laws and regulations that govern data protection, privacy, and sovereignty. A sovereign cloud can ensure that data stays within the jurisdiction of the customer and does not cross borders without consent or legal basis. A customer’s contract with such a provider can also require they comply with all applicable regulations rather than relying on standard terms and conditions.
- Protection of sensitive data: A sovereign cloud can be especially beneficial for organisations that deal with sensitive or critical data, such as government agencies, defence contractors, healthcare providers, law enforcement or financial institutions. A sovereign cloud can ensure that data is handled with the appropriate confidentiality and integrity to meet the specific security standards and compliance requirements of the regulated sectors.
- Flexibility: Sovereign cloud services can be tailored to meet the specific needs of UK organisations, providing a flexible and scalable solution that can grow with their business. This can include management of older technologies and bespoke workloads, which are often part of the organisations IT estate.
- Greater Control: for a UK organisation or enterprise, sovereign cloud offers an ability to control their own digital assets and resources without depending on foreign providers or platforms. Fostering innovation, competitiveness, and self-reliance, while also preserving national interests and values.
- Known and predictable cost models: Where the services may be relatively consistent, knowing how much the service will be to run is a key benefit and enables the organisation to budget. These platforms often support committed cost profiles, insulated against moderate changes in demand and inflation. Costs are also incurred in the specified currency, limiting exchange rate fluctuation impacts.
Growth of UK Sovereign Cloud
Sovereign cloud provides a secure and trusted environment for storing and processing data. While it is of course not without its challenges, it offers a range of benefits for UK businesses and organisations, particularly those that deal with sensitive or classified data.
As data sovereignty and security continue to be important concerns, sovereign cloud is likely to become an increasingly popular solution for UK organisations that are seeking higher levels of assurance about the IT infrastructure they rely on, where their data resides and the laws under which it is protected.