As the concept of ‘sovereign cloud’ is gaining more traction, it’s important to understand that not all sovereign clouds are equal.

Some hardware vendors state that their physical servers are sovereign because they run on your premises. In a sense, that’s true, but that’s like the classic castle and moat analogy: “Whatever I put inside my castle is sovereign because I see the lights blinking and can touch the cables.” It’s still a private cloud with all its limitations when it comes to innovation. By the way, when you apply Zero Trust, that reasoning is no longer valid because insider threat is very real, and all users with physical and virtual access to the server need to be explicitly approved every time again.

In my opinion, stating a machine is sovereign because it’s running on your premises is falling short of the modern approach: a sovereign cloud includes the Public Cloud as the Innovation Frontier. At Proximus NXT, we use Sovereign Cloud primarily in relationship to the Public Cloud.

But what exactly is a Sovereign Cloud composed of?

We see four key components of a Sovereign Cloud:

1. Confidential Computing

As written in an earlier article, Confidential Computing is a crucial component as it enables the encryption of data in memory. This, in turn, helps to remove the Cloud Provider from the trust chain. When dealing with sensitive data, you want the smallest trust chain possible, i.e., how many parties do we trust with our data?

Confidential Compute provides the highest security available to date. It’s the missing puzzle piece to data in motion, data at rest, and data in use.

2. (External) Key Mgmt

As Confidential Computing still requires encryption and decryption to take place, you need encryption keys. This means you need secure governance to manage the keys. Think of key rotation and the ability to add and retire keys.

Ideally, the keys are stored outside the cloud provider, i.e., external key management. However, this is not always possible for practical and technical reasons, so the next best thing is using an HSM (Hardware Security Module) FIPS 140-3 Level 3 or higher. It’s military-grade and ensures the Cloud Provider is unable to read your keys. On Microsoft Azure, this would be the Managed HSM service.

3. Sovereign Landing Zone

The next key ingredient of a Sovereign Cloud is a Sovereign Landing Zone (SLZ). In Public Cloud, we need a landing zone to ensure that our cloud environment is secure, scalable, and consistent. A landing zone helps us to:

• Establish a governance model that defines policies, roles, and responsibilities

• Implement best practices for identity, network, security, and management

• Automate and streamline the deployment and operation of our cloud resources

Landing Zones are configured in code to ensure automated compliance checks instead of manual, human verification.

A Sovereign Landing Zone is a special type of landing zone designed for organizations that need government-regulated privacy, security, and sovereign controls.

The Azure Sovereign Landing Zone differs from a regular landing zone in that it provides:

• Additional orchestration and deployment automation capabilities

• An opinionated landing zone design for data sovereignty and confidential computing requirements

• Additional Azure Policy Initiatives and Policy assignments to help meet sovereignty requirements for public sector customers, partners, and ISVs

4. Attestation

Lastly, attestation is a key ingredient in a Sovereign Cloud. Attestation is a process that verifies the integrity and identity of a cloud service provider and its infrastructure. It ensures that the cloud service provider is who they claim to be and that they are using secure and compliant hardware and software to deliver their cloud services.

Attestation can be done by a trusted third party, such as a certification authority, or by the cloud service provider itself, using self-attestation methods.

We need attestation in a sovereign cloud to ensure that our data and applications are protected from unauthorized access or manipulation by foreign entities or actors. Attestation helps us verify that the sovereign cloud provider is using the appropriate security and compliance controls to safeguard our data and applications in the cloud.

So what?

As sovereign cloud is getting more traction, it’s important that you, as a CIO or CISO, understand what to look for when selecting a sovereign cloud partner. Having one or two key ingredients is not enough. You need all four combined for a real sovereign cloud in the modern definition. This way, you can benefit from Public Cloud innovations while having peace of mind about how your sensitive data is used.

Jetro WILS is the founder of BlueDragon Security, where he helps organizations operate safely in this cloud era by strengthening their digital security and compliance.

Disclaimer: This article is written in a personal capacity, and the views expressed are solely mine. They do not represent the positions, strategies, or opinions of my clients, who bear no responsibility for this content.