Reality and Marketing in the Sovereign Cloud

Building a sovereign cloud is one of the most significant challenges in the current public sector. The evolution of international politics, the constant risk of espionage by foreign powers (allied or not), the difficulties arising from ransomware in its multiple forms, and the extraterritorial extension of foreign regulations by the current cloud market leaders make the cloud an internal matter only.

Indeed, the issue of the sovereign cloud has been revived in recent times. So much so that one of the major American cloud companies has developed a marketing campaign suggesting that a sovereign cloud can be created in Europe with their support. The oversight of the U.S. CLOUD Act has been a glaring error (deliberate or not) in their campaign. As will be seen throughout this article, it is not just a physical problem, concerning where the machines are, but also a technological and legal one. If this comprehensive approach is not adopted, there will be sovereignty gaps in the system that will make us vulnerable (even to apparent allies).

This is because countries like the United States, Israel, or China extend their jurisdiction to wherever servers are located, whether in Finland, the Caribbean, or Arkansas. The criterion is the nationality of the company or its parent company.

What are we talking about when we refer to the sovereign cloud? Essentially, it is about ensuring the security of the data and computing processes carried out through the cloud; by means of an instrument that guarantees legal integrity. From this perspective, it is a legal approach that affects both elements of the cloud: storage and computing. Without either, we have nothing more than a data cabinet, from which no necessary information can be extracted.

Indeed, storage is necessary, in the sense of safeguarding the data of individuals, companies, and the public sector, where the cloud is nothing more than a hard drive with limited value since the data is merely stored. There is always some computing process, but here it is small. It would be equivalent to the systems we have on our personal devices.

The significant aspect of the cloud consists of computing; that is, the application of programs that allow us to derive consequences from the data and adopt processes accordingly. For a simple example, we would encounter remote equipment repair where information about the malfunctioning equipment is transferred to the cloud.

The impact this can have on the Armed Forces, for instance, which have remote missions, is considerable. But it also serves for developing crime prevention policies or, simply, for creating simulations about the impacts of public and private policies in a given territory. To take a widely discussed topic, so-called smart cities are structured through the cloud, and a relevant application through computing would be comparing the pollution of the cloud itself with that of the non-smart city. An analysis which, by the way, is not well-developed.

Needless to say, the battle of artificial intelligence between China and the United States is conducted through the cloud. And, in fact, new emerging poles are appearing, such as Israel, India, Russia, or Abu Dhabi. We truly face a great challenge for the State, especially for the States of the European Union.

One final element must be considered concerning cloud sovereignty. Essentially, it is an issue that affects public administrations and, generally, all public sector entities. Not only the State but also autonomous communities, autonomous cities, provincial councils, and municipalities. But we cannot stop there. Sovereignty must also be considered in an economic sense, which opens two distinct fields for us: first, that of strategic companies, where the cloud not only affects the company but the entire economy. These entities must surpass their purely economic view of their results and must have the will to contribute to the country, also in data management. And secondly, for the company itself, for its product developments and economic evolution, trust in who manages the data should take a step further and place its servers in a sovereign cloud.

Under these conditions, what must we demand of a cloud to be considered sovereign?

Firstly, that the cloud service provider is from the country that seeks sovereignty. The importance of this lies in the fact that the United States, China, India, or Israel have structured legislation that grants the state in question the power to collect information contained in the servers of these companies, or their subsidiaries, regardless of where the servers are physically located. Moreover, the mirrors that exist between servers make it really complex to isolate the data on a single server.

The above fact eliminates the possibility of outsourcing servers to the large American companies that dominate the Western market. Indeed, when the French state banned the use of Microsoft applications – which includes their data servers – it was precisely due to the security issues related to information and the access foreign powers may have to this data. Allied powers or not, which, in this case, matters little.

Therefore, the first step would be that beyond who has built the machines, the entire management process is carried out by reliable entities, that is, domiciled in the country of origin. I already mentioned at the time that the ideal would be to have a public company dedicated to these cloud activities. A public cloud company.
If a private, technological partner is sought, an exhaustive examination must be conducted to ensure that it meets all primary and secondary nationality requirements.

Secondly, that customer service processes and, in general, all problem-solving processes are not outsourced, and, in particular, are not outsourced to third countries that do not fall within the protection scope of the regulations. It is not only that data protection laws prevent the international transfer of personal data (and, although it may be data from public administrations or companies, there are always personal data involved) but also that it constitutes an essential element for information security.

Thirdly, for certain critical operations, considering the connection between storage and computing, it is necessary to take a step further and ensure that the software used in computing is sovereign. Or at least, for critical processes, maintain control over the source code, its development processes, and software updates. The criticality point should be managed by the cloud owner, in collaboration with national security centers.
In our case, if it affects sensitive national security information, it should be verified by CNPIC, under CNI. But, it must be kept in mind that if the storage elements provider is not sovereign and is not legally linked with third countries, controlling software sovereignty is of little use.

Fourthly, the sovereign cloud requires the sovereignty of the organization, which determines that the organization – its management teams and staff – including seemingly minor aspects, such as physical and logical access, is configured according to national security requirements and is protecting sovereignty. In particular, all levels of control over the framework layers must meet these levels of demand.
In this sense, the compliance levels that a company dedicated to the sovereign cloud should have are much higher and stricter than those of a company dedicated to other economic activities.

Fifthly, regulatory sovereignty over the cloud. Regulatory sovereignty that does not avoid cooperation relationships, at various levels, with other foreign sovereignty areas, especially regarding security and defense or economic interest organizations. But regulation marks the country’s strategy concerning data.

All of the above is not something that can be managed overnight. It requires a constant, precise, and organized process to ensure data sovereignty, the protection of internal interests, and active participation in a globalized world. In this sense, generating an administrative structure capable of managing it, involving at least the entire public sector at all levels, is essential. Its materialization will set us on the path to being an effective actor in facing the challenges ahead, especially artificial intelligence and its impact on the public sector. Needless to say, the technological gap that Europe currently has compared to China, the United States, India, or Israel is a factor that should generate concern among actors.