Multi-Cloud Uncategorized

The Data Guardian’s Guide to Selecting a Sovereign Cloud: Part 3

The Family Holiday – Which Hotel Wins?

Alex Tanner, Senior Staff Cloud Solutions Architect, VMware Partner Connect Cloud Provider partners, UK&I

In the final post on the Data Guardian’s guide to selecting a sovereign cloud, I focus on the two final layers of the assessment criteria – activities and technology. In my first post, I talked about a framework of assessment that people responsible for safeguarding corporate or public data, (data guardians) can use to evaluate whether a specific sovereign cloud offering is right for them. I used the analogy of planning a family holiday to discuss this.  In my second blog, I talked about the first three of the five framework layers for selecting a sovereign cloud: people, access, and process.

I now can discuss the final two assessment layers – activities and technology – and then conclude on the right approach for the data guardian’s guide to selecting a sovereign cloud.

Assessment Criteria: Activities

The fourth criterion applied to the choice of accommodation is ‘activities’. The content of the analogy relates to the activities that people can undertake with the children. In the case of Child NS (non-sensitive) there is little concern about whom those people are, i.e., coaches, and kindergarten volunteers, as well as the types of interaction such as coaching, and mentoring they might have with Child NS, as Child NS requires little specialist attention. The people running leisure, sports, or other activities can involve Child NS in those endeavours with little concern and their interaction does not need to be scrutinized and audited. Child S, on the other hand, requires careful, specialist handling by trained personnel who have strict guidelines around the sorts of interactions they can have with Child S and the types of activities they can offer Chid S. Failure to observe these strict guidelines could have dire consequences for Child S and so activities are carefully monitored and recorded.

In terms of the sovereign cloud framework, this criterion relates to what people, through access, and leveraging processes can conduct by way of activities against the data, both customer and account, and service metadata. As the diagram below indicates these activities can range from limited, very low-impact no access activities dictated by specific roles and rights through to a full range of access enabling a comprehensive management of all types of data. Again, understanding the data classification and how ideally those data types should be accessed and what levels of management are enabled by what types of personnel using which systems, is critical to selecting the right sovereign cloud.


Assessment Criteria: Technology

The final criteria applied to the choice of accommodation is ‘technology’. In terms of the analogy this represents the locations where the family will be at various times during their vacation and the impact this could have on the various family members.

Child NS can quite happily be enrolled in activities both at the boutique hotel and with minimal supervision at the sport and leisure facilities at the international brand hotel, with whom the boutique hotel has an arrangement. Transport there and back is not a consideration, and these activities and movements need only be lightly recorded and audited by the parents. The family is largely happy for the hotel to arrange things and to liaise with the other activity providers around schedules and staffing. For Child S, this relaxed attitude changes markedly and now location and accountability are incredibly important. Specific requirements exist for the facilities, which must be staffed by the correct people, with verified access, leveraging specific processes to track and authorize only very specific activities. Here experienced and highly trained staff, following well-understood audited and documented procedures, are vetted to work with certain types of needs and will ensure that Child S has the best experience possible.

In terms of the sovereign cloud framework, this criteria talks to the need to have a robust and resilient architecture, located locally within the Jurisdiction, and optimised to reflect the sensitivity and value of the data hosted on the platform whether that is at an individual customer level or more broadly at a data classification level. The facility should be secured and operated at the highest levels of resiliency, but with the data also needing to be always available this creates a need for backups and disaster recovery solutions that exist beyond a single site architecture while remaining wholly within the local jurisdiction. Depending on the data classification being considered some aspects of this architecture approach to technology can be adjusted as highlighted in the diagram below.


The Assessment Conclusion: Why the Boutique Hotel Wins

Following the outcome of the assessment criteria review and given the nature of the children as well as the desired outcomes for the vacation, Adult A and Adult C eventually settle on the boutique hotel as their accommodation provider of choice.

While more expensive and with a less flexible model of consuming facilities and services, the boutique hotel won out because it offered the facilities and staff and was governed by the right mix of regulations, auditing, and accountability entirely within the local jurisdiction and this aligned with the requirements of Child S. Had the family had a second child more akin to Child NS, then either of the other two accommodation options might have proved more cost-effective and supplied a broader range of facilities and activities without the additional overhead of coordinating travel and more complex schedules.

Classifying and really understanding a business’s data types is the first step one should take as a data guardian when looking at selecting the right sovereign cloud for your business.

Your Role as the Data Guardian in Selecting a Sovereign Cloud

To take the next step on your journey, as a data guardian, to selecting a sovereign cloud, we would suggest using the framework criteria discussed in this article to assess what sort of sovereign cloud you might require based on the data classification exercise carried out in step one. In terms of seeking help with step two, data guardians should consider a VMware Partner Connect Cloud Provider partner. If one was to map a VMware Cloud Provider to any of the accommodation options described in our analogy above it would be to the boutique hotel, as many of the VMware Cloud Providers have been operating local sovereign clouds in specific European countries for many years and are experts in understanding and abiding by the local regulations and jurisdictions requirements around different tiers of data.


In addition to being experts in operating sovereign clouds many of these VMware Cloud Providers are also experts in the hyperscaler cloud platforms and can help savvy data guardians seeking sovereign cloud features in a multi-cloud world assess where their different tiers of data should reside, with sensitive data hosted on a specialist VMware Sovereign Clouds and less sensitive data classifications hosted in a hyper scale cloud. For more about the VMware approach to sovereign clouds please contact us here and working with our Partners to have your own sovereign cloud assessment please reach out here.


Leave a Reply

Your email address will not be published. Required fields are marked *