Digital sovereignty guarantees data security in the public cloud
Published on 01/07/2024 in Expert talks
When companies consider migrating to the public cloud, they are sometimes held back by security risks and compliance and governance constraints. Thus the interest in digital sovereignty, Gwénaëlle Hervé, Public & Sovereign Cloud Lead at Proximus NXT, explains.
Security and compliance have, for large companies, become strategic priorities for senior management, business and IT alike. Cyber-attacks of all kinds are on the increase, while European and national authorities are introducing rules and regulations to govern the processing of sensitive data.
"With the emergence of the public cloud, organizations are realizing how fragile data protection is when it's managed by cloud providers that don't fall under European jurisdictions”, Gwénaëlle Hervé, Public & Sovereign Cloud Lead at Proximus NXT, says. That explains the emergence of the concept of digital sovereignty.
The sovereign cloud offers a competitive advantage because it enables you to benefit from all the innovative advantages of the public cloud, including for sensitive data.
Gwénaëlle Hervé, Public & Sovereign Cloud Lead at Proximus NXT.
Three pillars
"Digital sovereignty, also known as cyber-sovereignty, is the application of the principles of sovereignty to information and communication technologies", Gwénaëlle continues.
In practice, digital sovereignty rests on three pillars:
- Firstly, data sovereignty where customers decide who can access their data and who controls the encryption keys. The data is subject to the rules of its home jurisdiction, while the encryption solution prevents the cloud provider from accessing the data.
- Secondly, operational sovereignty where the customer has transparency and control over the cloud provider's operations, knowing that the data is managed locally by local teams.
- Last but not least, technological sovereignty which allows the solution to be disconnected from the cloud provider and the internet network.
Europe’s reaction
"Digital sovereignty is important given that the major cloud providers are all from the US and the US Cloud Act of 2018 allows US intelligence services to access any customer's data by court order. Fortunately, Europe has responded with various data protection shields, such as Schrems II or GDPR, thereby demonstrating the real value of European data and allowing European organizations to protect themselves," Gwénaëlle explains.
What's more, the NIS2 (Network and Information Security) directive, which will come into force in Belgium this year, further strengthens the cybersecurity of companies, which are also required to carry out regular audits and report security incidents promptly.
Other regulations and legislation are also being put in place or proposed, notably concerning digital markets and services and artificial intelligence.
Why do businesses need sovereign clouds?
"Many companies may perceive the current regulatory framework as being restrictive, wondering how to maintain the pace of innovation while meeting security and compliance imperatives. However, the sovereign cloud allows data to be managed and secured by European entities, which guarantees that data will not leave European soil. Secondly, the sovereign cloud is designed in compliance with European directives and that guarantees data governance. Finally, the sovereign cloud offers a strategic competitive advantage, as it enables us to benefit from all the innovative advantages of the public cloud, including for sensitive data", Gwénaëlle insists.
There are three steps to setting up a sovereign cloud:
- Correctly classifying data sensitivity and the definition of sovereignty requirements according to the type of sovereignty chosen.
- Selecting the appropriate sovereign cloud solution according to the level of sensitivity, and implementing pilot projects to ensure that the chosen solution delivers the expected results.
- Making the sovereign cloud operational.
"But only sensitive data requires the use of a sovereign cloud. In fact, non-sensitive data can perfectly well remain in a 'classic' cloud", Gwénaëlle points out.
Proximus as a trusted partner
As ICT partner to major corporations, Proximus NXT is positioning itself as a sovereign cloud pioneer, offering customers various options.
As part of the Microsoft Encrypted Public Cloud solution, Proximus NXT is first in the Benelux with commercially launching the MCfS (Microsoft Cloud for Sovereignty), which has been publicly available since December 2023. Proximus is also the first in Europe to make a ʽdisconnected‛ sovereign cloud available with Clarence since October 2023.
Only sensitive data require the use of a sovereign cloud.
Gwénaëlle Hervé, Public & Sovereign Cloud Lead at Proximus NXT.
More specifically, data is stored in Microsoft's confidential cloud, but with strong encryption at all stages of the data journey (including ‘in use’). Data sovereignty is guaranteed through the use of an encryption key management solution, for which we have chosen to work with our partner Thalès, and the attestation solution from our partner Intel. In October 2023, Proximus and LuxConnect launched a joint venture called ‘Clarence’’, which stands for ‘Clarity’ and ‘Transparency’, and will be the first in Europe to market a disconnected sovereign cloud based on the Google Distributed Cloud Hosted (GDCH) offering.
"Our aim is to enable European organizations to continue innovating in accordance with the highest ethical standards in terms of data protection, confidentiality and regulatory compliance", Gwénaëlle adds.
The sovereign cloud is a fundamental tool
"When talking to our customers, we often see two 'recurring' challenges", Gwénaëlle notes. On the one hand, there is a genuine intent to comply with the principles of digital sovereignty. It's true that there is a growing awareness of the need to protect European data, but the application of these principles of sovereignty must not prevent innovation. In fact, hyperscalers' solutions for protecting data while innovating, such as Google Distributed Cloud Hosted or Microsoft Cloud for Sovereignty, are still relatively recent and still very unknown in the market. The role now of European ICT !ntegrators, in collaboration with technology providers, is therefore to evangelize on available options to companies wishing to operate responsibly and to reassure."
The second challenge is about classifying data correctly. "Which data is sensitive and which is not? What applications should be hosted in a sovereign cloud? Unfortunately, there is currently no European or national regulatory scheme that can help companies classify data and determine the appropriate sovereignty level. ICT partners take on the role of advisors, helping customers to find answers to these essential questions here too", Gwénaëlle concludes.
Proximus NXT drives new sovereignty innovation in the cloud by partnering up with Microsoft, Thales and Intel.
Gwénaëlle Hervé
Gwénaëlle Hervé is Public & Sovereign Cloud Lead at Proximus NXT. She leads a team of product managers responsible for developing innovative cloud services in collaboration with technology partners including Microsoft, Google, Thales and Intel among others. Discover more insights from Gwénaëlle.