Rob Kernahan, vice-president at Capgemini, discusses the importance of a strong cloud sovereignty strategy in keeping infrastructure secure
Cloud has been one of the biggest enablers of innovation that’s revolutionised the way services are devised and delivered — from social media and the rise of streaming platforms, right through to the development of new business models and governmental digital platforms. With its ability to accelerate innovation, cloud has become a fundamental pillar for the new way of business and enabled modern service delivery.
The benefits of cloud were clear to many organisations, who quickly rushed to capture its competitive advantages and often embraced established hyperscalers outside their national boundaries. In doing so, the notion of cloud sovereignty was born, referring to how a firm’s data is subject to the country’s laws in which it’s located.
For many firms however, it wasn’t that simple to use cloud to gain competitive advantage. For example, those within the business of security, critical national infrastructure, and sensitive data face tighter regulation, in addition to dealing with market volatility and unsettling geopolitical tensions, which continue to grow today. As a result, embracing these cloud capabilities present a new challenge — securing the continued delivery of that service. With limited options for providers meeting the required standards and a stifling regulatory landscape, tackling the issue of cloud sovereignty has now become paramount for the future of cloud to play a pivotal role in for many organisations and sectors.
Rocket-race towards cloud
Business and IT are now inseparable, with cloud adoption being critical for enabling future innovation and keeping pace with the competition. A few select organisations recognised this technology’s potential and quickly developed compelling cloud platform services, with limited competition outside of the US.
The issue then arises when these hyperscalers are outside a firm’s national borders. Many organisations have no real choice but to use these providers, with only traditional concepts of the technology largely involving basic virtualisation within locally controlled data centres. While utilising services across borders is not a new concept by any means, or generally incurs much risk, the current geopolitical landscape brings an unforeseen uncertainty — the continued provision of a nation state’s cloud capabilities.
We’ve already seen companies pulling out of Russia following their invasion of Ukraine this year, but tensions between nation states have existed long before, along with hyperscalers discontinuing services with little notice to their user base. This becomes particularly important when looking at how much of our national infrastructure and governmental citizen services have moved to cloud. And so, while we can adopt systems and technology such as cloud, we no longer can guarantee that service will last forever, creating a new dimension as to how secure organisations must consider their cloud platform.
As a result, cloud adoption strategies are no longer solely focused on the management and control of data. Instead, the security of supply has become a critical risk that organisations must mitigate.
Securing cloud services
Being able to secure your cloud service supply not only requires data controls, but also access to legal controls. As such, hyperscalers have started adapting how they deploy cloud services to give nation states assurance — essentially meaning that cloud services are deployed in partnership with a local organisation.
This has given a rise to sovereign partnerships that license the hyperscaler technology, and are delivered by suppliers under the local legal framework. This pragmatic approach has slowly become more common in recent months, and helps overcome many of the risks associated with using cloud, particularly its assurance of service supply.
Despite this, one of the biggest barriers to cloud is the current regulatory landscape surrounding how certain sectors need to control data sovereignty and how that data is securely processed. This often requires a long list of requirements that must be fulfilled to shift services onto the cloud, which is unique for each industry.
For example, the rules in place for the management of services, such as the energy grid, would differ greatly from healthcare providers. With such rigid and inflexible regulations, the barrier felt a little too high for many organisations when seeking cloud integration and threatened to curb its current rate of growth. These hyperscalers, however, understood the true business value that cloud could unlock within these sectors, and have continually enhanced their ability to meet these rising regulatory demands.
We’re now also finally seeing a shift in this regulatory space. As the industry matures, these regulators are recognising the difficulty in meeting these various conditions, and so have begun adapting to make it easier for organisations to adopt cloud with improved guidance. Through this, we’re slowly seeing a point of convergence, with hyperscalers becoming more adept at meeting these requirements while the regulators are simultaneously offering more support.
Cloud sovereignty strategy
Cloud has already gone through two or three maturity cycles since its first inception, and it’s far from its industry infancy. However, the true complexity of cloud sovereignty has only recently fully emerged. Hyperscalers have largely been fragmented in their approach which is continually evolving, with many organisations unsure of the best path to take.
Some business leaders are being hesitant and holding off on their investments until regulations and providers are more aligned, but doing so locks them out of the acceleration which competitors are already benefiting from through their cloud adoption. Speed then becomes the name of the game for achieving and sustaining that competitive advantage which cloud has become synonymous with providing. However, a bullish approach with little regard to managing that supply security risk can ultimately mean the failure of a business.
Navigating this to create a cloud strategy that works for organisations becomes the real challenge, with the aim to achieve a balance between speed to market, data control and assurance of supply.
As a result, developing a cloud sovereignty strategy, for those who are regulated or deliver critical national infrastructure, must be at the centre of an organisation’s wider cloud approach. For starters, firms should first seek to fully understand the marketplace, its evolution and how that applies to their situation, enabling them to better evaluate the right investments needed to provide that security of supply while maintaining a level of data control.
There are many shifting factors that need to be considered to get it right, but it’s worth the reward — as with cloud, the sky’s the limit.
How securing cloud data saved one business £18,000 — James Hunnybourne, cloud solutions director at Ultima, discusses how businesses can go about properly securing their cloud data and save thousands.
Establishing a strong information security policy — There are several considerations for companies creating an information security policy. So, how can organisations ensure they have a strong policy in place which reflects the needs of the business?