Guy Bartram, Director Product Marketing, Sustainability Ambassador
Adopting cloud computing has become increasingly popular, with many organizations taking advantage of its benefits, such as reduced costs, improved flexibility, and scalability. However, with this increased adoption comes the need for increased attention to security, particularly regarding sensitive data, data classification, privacy, and Sovereign Clouds. Sovereign Clouds are managed and operated privately or through a third-party Sovereign Cloud Provider, such as a VMware Sovereign Cloud Provider, often used for sensitive data and applications. Sensitive data may have a broader scope than people realize and can vary depending on the context and the industry the company focuses on. For example, in healthcare, sensitive data might include medical records, while in finance, it might include financial records and credit scores. In government, it might include classified information related to national security.
Unfortunately, many organizations still need to be more open to using Sovereign Clouds, despite the risks of avoiding them. This blog post will explore the risks of avoiding Sovereign Clouds and why considering them is essential.
There could be several reasons why organizations are not adopting Sovereign Clouds:
However, avoiding Sovereign Clouds and using Hyperscale clouds can pose several risks to an organization’s security and privacy.
- Public clouds are typically owned and managed by third-party providers who may have different security controls and protocols than in your organization. This means your data could be vulnerable to unauthorized access, theft, or misuse by hackers, insiders, or other malicious actors. This is something recently highlighted by President Biden, that there needs to be regulation of the security practices in Public Cloud, which poses a considerable risk for sensitive data.
- Public clouds often rely on shared infrastructure, meaning that the data and resources of multiple organizations are stored and processed on the same servers and networks. This increases the risk of data leakage or cross-contamination, where sensitive data could accidentally or intentionally be accessed or exposed to other users on the same platform. Shared platforms come at a functional cost, typically security and performance. Resource contention and degraded performance can exist depending on the underlying hypervisor used in the public cloud. Hyperscale clouds often limit the compute, network, and storage resources customers can use to work around this, resulting in high costs vs. resources and many customers moving workloads out of their cloud. Recent examples in the press are basecamp and 37Signals.
- Public clouds are subject to legal and regulatory requirements that may not align with an organization’s security and compliance needs. For example, some public cloud providers may be subject to foreign laws such as U.S. Cloud Act or government surveillance such as FISA, which could compromise the confidentiality and integrity of the classified data. In Europe for example, the U.S. Cloud Act raises concerns about the privacy and data protection of EU citizens, as it potentially allows US authorities to access their personal data without sufficient safeguards or oversight. In summary, it conflicts with the EU’s General Data Protection Regulation (GDPR), which requires companies to obtain explicit consent from individuals to process their personal data and ensure adequate data protection measures are in place. Consider data as all forms, including metadata, telemetry data, accounting data and support data, the sphere of influence to consider here is much larger than you think. Exposure has been documented many times in the press. An excellent example of this is the 2022 Data Protection Impact Assessment (DPIA) from the Dutch ministry, stating “high risk related to unencrypted streaming and stored special categories of data” and:
“There is a high data protection risk related to the possible access by US law enforcement and secret services to very sensitive and special categories of personal data. This risk occurs even though the Teams, OneDrive and SharePoint Content Data are already exclusively processed and stored in the EU, because access to this data can be ordered through US legislation such as the US CLOUD Act.”
- The organization should control the management and visibility of its data as it is stored and processed in a third-party environment. Public cloud lack of standardization can limit the organization’s ability to audit, monitor, and enforce security policies and procedures. Public clouds are highly distributed and complex, making a comprehensive view nearly impossible. This is compounded by a shared responsibility model for security where customers are responsible for using the public cloud features to secure their own data. The public cloud is very good at rapid scaling, which can challenge keeping track of security policies over multiple resources. Finally, all public clouds have differing capabilities and toolsets, creating challenges with the levels of security possible but also the enforcement of security.
Overall, the risks of putting any data in a public cloud can be significant, and organizations should carefully evaluate and mitigate these risks before deciding to use such services. However, is Sovereign Cloud a nirvana? Organizational concerns about Sovereign Clouds range from the availability, performance, and cost of Sovereign Cloud solutions to traditional cloud offerings. Are they correct?
Availability
Sovereign cloud solutions may have a different global reach and availability than traditional public cloud offerings; a view could be that this limits their ability to support geographically dispersed workloads and users.
Sovereignty is not a global matter but a national one or shared regional in the EU, for example. Sovereign Cloud solutions ensure high availability within national geographies and data centers within the Sovereign region; going across borders would mean differing jurisdictions and laws about all aspects of data and cloud. Ensuring the availability of data and services is critical for operations that Sovereign Cloud providers manage, such as operations of national interest.
Availability is a crucial aspect of the VMware Sovereign Cloud 20-point certification; VMware Sovereign Cloud partners must attest to providing data integrity and availability with redundant infrastructure and failover mechanisms to ensure that data and applications remain available in the attested territory in the event of a regional outage or disaster.
Performance
Sovereign Cloud solutions, as all cloud solutions, will have different levels of performance and scalability than public cloud offerings. This could be viewed as limiting their ability to handle high-volume, resource-intensive workloads.
Sovereign Clouds are built and designed to meet sovereign customers’ needs; many Sovereign Clouds operate at very high levels of availability, exceeding hyperscale offering capabilities. Operations of National interest and specific verticals have unique application requirements, and valuable items such as autoscaling are available to VMware Sovereign Cloud providers.
VMware has pioneered exceptional performance, including some faster than bare metal capabilities (see Tanzu Kubernetes example). For a long time, VMware has had technologies to avoid performance issues inherent in virtualized environments and has outperformed public cloud services. For a great example of this, see this report from a VMware Cloud Provider Expedient.
Cost
Sovereign cloud solutions may be more expensive than traditional cloud offerings due to higher operational costs, lower economies of scale, and the need to maintain specialized infrastructure and talent.
Cost is a critical cloud component, and VMware Cloud Providers work on a pure consumption model. Unlike hyperscale cloud, where you must purchase reserved instances, you can have a resource pool of compute and storage and use as much or little as you need. Resource pooling is one option for cost-sensitive Sovereign customers, even those that want dedicated hardware and private clouds can quickly scale out without incurring significant costs.
Sovereign Clouds deal in security and compliance; Sovereign Cloud partners invest significantly in the enhanced vetting of personal, infrastructure and systems aligned to the data classification and industry vertical, that you will not find available in Hyperscale clouds.
If you choose a VMware Sovereign Cloud Provider, they can offer secure, shared infrastructure and dedicated isolated private clouds. Both come with full automated lifecycle management and can reduce cost dramatically, have a look at the VCF TCO calculator to see for yourself.
Granted, regional cloud providers do not have economies of scale like public cloud providers, but in terms of volume, many Sovereign Cloud partners have very large Cloud estates. For example, OVH Cloud in France builds its own hardware and has 100,000’s workloads running in its environments.
Lastly, specialized infrastructure and talent are where VMware Sovereign Cloud partners excel; this is undoubtedly a good thing. Most VMware Cloud Providers deliver managed services, which require operational skills in many different areas, unlike Public Cloud vendors who do not. VMware Cloud Providers, especially Sovereign partners, can help you on your cloud journey, skilled and resourced appropriately to support your business, not just be an infrastructure endpoint.
Innovation
Sovereign Cloud solutions may have a different level of innovation and feature development than traditional cloud offerings, limiting their ability to keep pace with evolving business needs and technology trends.
VMware doesn’t just mean vSphere. VMware’s portfolio of solutions is extensive in capabilities and supports workloads, apps, containers, and data science solutions. VMware Sovereign Clouds must be innovative, most governments and industry verticals have vital requirements to get ahead of the pack, and innovation is mandated in their cloud.
Thinking about this differently, public clouds, to be resident, must limit their portfolios to only those that can be resident, separated from SaaS control planes, and this limits innovation. VMware has always offered disconnected solutions; everything runs in the region, in jurisdiction already, so you are automatically gaining control of your cloud.
Innovation can be seen in 1 or 2 ways; that which is out of the box (SaaS and PaaS) and that which must be built using new infrastructure and services. An out-of-the-box solution, such as an industrialized cloud solution, could be great to get going quickly. Still, it is potentially a considerable concern for compliance and security. Whereas building a solution to meet your needs offers the opportunity to consider compliance and security from the get-go (which should be a best practice). With data compliance, regulation and governance of data privacy and industrialized data still evolving, it is better to innovate and involve all lines of business to build the right solution. VMware Sovereign Cloud providers offer GPU, AI, ML, Kubernetes, App marketplaces, secure app portfolios, integrated pipeline solutions, and much more to ensure your needs to innovate are covered but, most importantly, secure.
Overall, a VMware Sovereign Cloud can provide greater control, security, and flexibility for governments and verticalized organizations that require unique or specialized cloud computing services. Many Sovereign Cloud partners are multi-cloud brokers, promoting the “right cloud for the application” aligned to data classification and security requirements. They can be a one-stop shop for customers who need multiple clouds and hybrid operating models. Get Cloud piece of mind and find out more about Sovereign Cloud; https://www.vmware.com/cloud-solutions/sovereign-cloud.html