Return Of The Sovereign Cloud
A decade ago, I completed the first ever assessment of Australia’s emerging “trusted” or private infrastructure-as-a-service (IaaS) market. I followed this up with a 2010 opinion-editorial calling for improved “cloud computing regulation” in Australia as a model for global oversight of a hugely important market segment. How important? The cloud computing market has become as critical to economic prosperity as other general purpose markets, such as power, water, and, of course, money. I’m happy to say that over the past decade, significant progress has been made on two fronts:
- Data security in the cloud became independently assessed. Buyers of cloud computing services now have confidence when it comes to security in the cloud through the application of information security standards such as the US Federal Risk and Authorization Management Program (FedRAMP), launched in 2011, and Australia’s Information Security Registered Assessors Program (IRAP), launched in 2014.
- Data sovereignty was addressed through a network of global data centers. Through the deployment of various onshore regions, cloud computing vendors were able to assure buyers of cloud computing services that access to their data would only occur within the legal framework of the jurisdiction in which the data physically resided.
Data Sovereignty Does Not Equal Cloud Sovereignty
Despite the progress in market oversight, one crucial regulatory feature common to other utility markets remains absent from the cloud computing landscape: a “reserve” or element of direct government participation in or ownership of cloud computing resources for sovereign purposes, such as the reserve bank in financial markets or the universal service obligation legislation found in telecommunications, power, and water.
And like these other industries, use of the system by government agencies is very different from the government itself as an actor within the market whose role is to protect its citizens and national interests. So, in the same way, cloud data sovereignty should not be confused with the need for sovereign cloud capability.
Governments Are Moving Beyond Data Sovereignty
Fast forward to 2020.
As I finalize my evaluation of the upcoming “Forrester Wave™: Public Cloud Infrastructure And Development Platforms For Australia And New Zealand,” I once again find myself reviewing the cloud computing market in a time of uncertainty. The biggest change? Despite the pall of a global pandemic, there is increasing interest in national cybersecurity as the line between military, economic, and diplomatic conflict blurs within a “grey zone.” And the role that cloud computing plays as part of every nation’s critical infrastructure is once again under scrutiny.
In the US, this manifested in the Clarifying Lawful Overseas Use of Data Act or the CLOUD Act (2018), which compels US-based vendors to “disclose the contents of an electronic communication or noncontent records or information pertaining to a customer or subscriber, regardless of whether the communication or record is located within or outside the United States.” Although other governments can, and have, enter into bilateral agreements for the exchange of data under the CLOUD Act, the extension of disclosure requirements to data centers located in other jurisdictions means the issue of cloud sovereignty is now back on the table.
And the US is not alone: Similar legislation has been enacted globally, such as China’s Cyber Security Law (2017) and the UK’s Crime (Overseas Production Orders) Act (2019). The EU’s General Data Protection Regulation (GDPR), often cited as the ultimate in citizen data protection, also contains the ability for access to data under certain situations through Article 49.
In response to the shifting legal positions, the EU has been the first to form an alliance aimed at delivering a sovereign public cloud, while in Australia, the minister for government services has flagged new legislation in which “certain data sets of concern to the public should be declared sovereign data sets and should only be hosted in Australia, in an accredited Australian data centre, across Australian networks and only accessed by the Australian government and our Australian service providers.” National governments are by no means alone either: The New South Wales government also recently signed an agreement with Australian provider Vault Cloud for secure cloud services.
The Cloud Will Continue To Evolve Beyond The Hyperscalers
In our recent report, The New, Unstable Normal: How COVID-19 Will Change Business And Technology Forever, we predict that in the next two to five years the widespread adoption of microservices, serverless computing, and containers will deliver public cloud speed and agility across private and industry-specific cloud environments, threatening hyperscalers’ dominance. These technical innovations, plus the issues inherent in the global trade of foundational IT services, such as cloud computing, will push the public sector to retreat from global providers in key areas sooner rather than later.
Even if our predictions don’t materialize in the near term — much like my claim in 2010 that every country needed a sovereign cloud — this next wave of change in the cloud market will only be a matter of time.