Cloud sovereignty

Sovereignty may take many forms and have different meanings. There is no widely accepted definition and organisations are reflecting on it through multiple perspectives depending on their business and digital context. However, the adoption of public cloud has become prevalent for every organisation as an enabler of agility and innovation, no matter which type of context, industry or region.

The geopolitical context plus global and regional crises are leading organisations to seek resilience and realise cloud value with the right balance of control and innovation. A sovereign partner ecosystem is key to accelerating business transformation without losing the autonomy and control that customers need on their data and applications.

Cloud Sovereignty can be described as the political, business and technological dimensions of data protection and data security, as well as the control of and independence from operations, data, software, infrastructure and communications providers. A sovereign cloud must combine strategy, governance and technical controls to ensure resilience, flexibility, autonomy and compliance with regulatory requirements.

Public and private sector. The importance of cloud sovereignty is not limited to public services but has become a top concern for private industries due to the increasing pressure from industry and regional regulators in the light of recent geopolitical events. Sovereignty mismanagement in highly regulated industries can lead to severe consequences (data breaches, fines, brand reputation).

Public and private organisations need both to maintain control over their operations and assets in the cloud to ensure productivity, resilience, and maintain their competitive advantage within a context of uncertainty.

The driving Trident for Sovereignty. Geopolitics, market and regulation shape the sovereignty requirements of organisations. The sovereignty posture of each one reflects their strategy to address their unique challenges that need to be overcome along the Cloud adoption.

Assessing Sovereignty

In order to evaluate technical cloud sovereignty in organisations, Deloitte has developed a comprehensive framework that covers the entire cloud stack and includes five distinct domains. This framework is applicable to organisations across all industries, including public and private sectors, and can be used to assess an organisation's level of maturity in cloud sovereignty.

Operational sovereignty. Visibility and control over provider operations. Prevent unauthorised access to data through monitoring and controlling IT services, as well as the underlying configuration to deliver and operate securely and effectively cloud services.

Data sovereignty. Ability to maintain control over data, including where and the way it is stored, how it is protected and processed, and who has access to it. Organisations can only achieve full data sovereignty as data owner. Otherwise, they must rely on agreements with third-parties, which limit the degree of such sovereignty.

Software Sovereignty. Ability to operate and orchestrate software or solutions independently from a manufacturer’s product roadmap. This includes maintaining control over the source code, development processes, and software updates, as well as the ability to shift between platform providers.

Infra/Comms Sovereignty. Technological and operational sovereignty over your organisation’s infrastructure including data and software layers as an enabler to have full control over physical and logical access. Utilising open standards for infrastructure and communications maximises adaptability and, resilience and survivability of your IT and organisation to shift between scenarios.

Security – Cross dimension. Overarching controls over the rest of the domains to ensure security is covered in all layers of the framework.