Sovereign cloud refers to a cloud structure that’s designed and built to deliver security and data access, while meeting local laws and regulations on data privacy and security.
The standards for a sovereign cloud vary drastically depending on where the cloud servers and data are located. While some countries and states enforce strict data protection laws, others don’t intervene much with how a private entity governs its cloud storage and servers.
Sovereign cloud laws and regulations aim to protect sensitive and private data. They ensure it remains under its owners' control and no one else's. Data protection standards also vary according to the type of data a cloud holds. For instance, financial and medical information are under stricter laws than statistical insights from user activity and traffic.
Cloud sovereignty requires validation on two fronts: the enterprise monitoring their cloud and data storage service, as well as the ability to prove compliance with local data privacy and security laws.
Claims of sovereignty are established with regular assessments of cloud records that log data movement and access permissions in a set period of time. If a cloud fails its sovereignty assessments, its owner may have to pay a penalty and sometimes reimburse users for any damage caused by rogue data.
As data grows into an important asset rather than a trace left online by users, laws and regulations that keep data safe are more important than ever. Cloud and data sovereignty are essential for all organizations — for-profit and non-profit — that collect user data and information.
Determining the beginning of government intervention in the state of cloud and user data is tricky. However, two events in particular in the early 2010s can be seen as what kickstarted the national and international cloud sovereignty laws: the Prism Program incident, where it was revealed that the American NSA was tapping into user data held by large private companies (like Apple and Google) and Microsoft's involvement with the Department of Justice in 2013, where Microsoft went to court to fight an FBI warrant for information held on non-US servers, namely, emails of a target account stored in Ireland.
Both instances shined a light on the importance of having clear laws and standards of what organizations and governments can do with user data. In the US, the Stored Communications Act (SCA) of 1986 regulated the storage and use of data stored through communications and transactional records held by third-party organizations. The act provides statutory privacy protection for customers of network service providers.
The CLOUD Act of 2018
Clarifying Lawful Overseas Use of Data (CLOUD) Act amends the 1986 SCA to include modern communication in an international context. The CLOUD Act allows the US government to demand access to data from the clouds of companies subject to US jurisdiction.
This Act doesn’t only include strictly American business and organization, but also foreign entities that operate within the US or with US-citizen data and information. But to prevent repeating previous privacy-intrusion incidents, the CLOUD Act specifies the need for an ongoing criminal investigation before the US government can demand access to sovereign cloud.
Access and Power
It’s no surprise that data is considered the "oil of the future." Not only is data incredibly valuable, but it also has the power to influence entire markets and a country’s political and economic landscapes. Keeping the cloud controlled and sovereign, while it could stand in the way of companies running analytics and cloud computing on user data, is essential. Without proper laws in place, most personal information could be abused for profit and influence.
Still, instead of repressing data in hopes of keeping its owners safe, there are ways the massive amounts of data stored in the cloud can be incredibly beneficial for future projects and innovation. For one, the International Data Spaces Association that holds over 100 members aims to put sovereign data to use in Internet of Things (IoT) and Artificial Intelligence (AI) projects all over Europe.
Several other cloud sovereignty projects are taking place around the world. Tech companies are collaborating and using Hyperscalers to process their data. One project that aims to maintain the balance between making use of cloud infrastructures whilst maintaining sovereignty is Gaia-X. Gaia-X is working on developing a federation of data infrastructure that’s sovereign, efficient, competitive, yet secure and trustworthy.
0 Comments