News

New Microsoft Cloud for Sovereignty Helps Government Customers Meet Requirements

• By David Ramel
• 07/19/2022

Announced at this week's big Inspire partner event, the new Microsoft Cloud for Sovereignty has arrived to help public sector customers meet compliance, security and policy requirements when processing data and workloads in the company's cloud.

Cloud and data sovereignty is an increasingly important concept that especially concerns the government sector, where organizations must adhere to many compliance, security and policy requirements/regulations in their cloud computing initiatives, most prominently around the collection, handling and processing of data.

In helping its public sector/government customers meet those requirements, Microsoft said its new cloud offering will also give them greater control over their data, along with increased transparency to cloud operational and governance processes.

"Governments are obligated to meet specific requirements for varying data classifications including data governance, security controls, privacy of citizens, data residency, sovereign protections and compliant operations following legal regulations like the GDPR (General Data Protection Regulation)," said Microsoft cloud exec Corey Sanders in a July 19 blog post announcing the new cloud offering at the beginning of the Inspire event. He said the solution will combine the Microsoft Cloud for Sovereignty's governance, security, transparency and sovereign technology with strategic partner expertise in order to support the digital transformation efforts of government customers.

The increasing importance of cloud sovereignty was examined in a recent "Cloud Sovereignty: The Road Ahead" report by Capgemini, which pointed to the COVID-19 pandemic as a contributory factor to the sharpened focus:

Sovereignty has gained a new prominence as a result of the pandemic, which has revealed significant vulnerabilities in complex international supply chains and has emphasized the role of critical data such as health. National governments and businesses have not only questioned the security of physical supply chains, but also where exactly their data is stored in the cloud, and what control they have over service capacity and availability in the event of a burst of demand, or in events of security incidents. Concerns around cloud sovereignty -- including data, operational, and technical issues -- are not new and have been gaining impetus over the past few years. However, it is a subject that is now under increasing scrutiny because of rising geopolitical tensions; changing data and privacy laws in different countries; the dominant role of cloud players concentrated in a few regions; and the lessons learned through the pandemic. As a result, governments and organizations are re-evaluating their external exposure and looking for ways to maintain physical and digital control over strategic assets, including data, algorithms, and critical software.

Capgemini said cloud sovereignty comprises three elements: data sovereignty, operational sovereignty and technical sovereignty:

Microsoft, meanwhile, says its cloud for sovereignty provides expertise, governance and transparency, sovereign controls, and data residency.

Data Residency
Data residency, the final item on that list, refers to the physical/geographic location of an organization's data or information. Sanders said data residency policy controls in the new cloud can help customers meet many regulatory requirements and implement policies to ensure that data and applications are contained within their preferred geographic boundaries. Those customers can specify a country or region with the most service deployments that can satisfy industry, national or global security, privacy, and compliance requirements.

A concrete example: "Specifically in Europe, expanding on our data residency commitment, the forthcoming EU Data Boundary will ensure Microsoft not only stores but also processes customer data in the EU and European Free Trade Association."

Sovereign Controls
Sovereign controls will also play a key part, giving customers additional layers to protect and encrypt sensitive data through capabilities across the entire Microsoft Cloud, including infrastructure, platform services and Software-as-a-Service (SaaS) solutions such as Microsoft 365, Dynamics 365 and Power Platform. The new cloud will include a Sovereign Landing Zone to simplify data classification requirements, specifically surrounding the architecture, deployment workflow and provision of intelligent tools to orchestrate operations across various Microsoft security services and policy controls in a streamlined manner.

Partner Expertise
Another important component of the cloud solution will come from the expertise of Microsoft partners, who the company said would play a key role in enabling customer success and delivering on government requirements.

"Public sector customers worldwide are increasingly looking for customized cloud solutions that offer additional choice, flexibility and control," Sanders said. "With the Microsoft Cloud for Sovereignty, customers will work with in-country partners that have industry and technical experience to help them plan, onboard, govern and operate their cloud environments with capabilities including data residency, confidential computing, document classification and hybrid deployments."

Governance and Transparency
As far as the fourth component of the cloud depicted in the graphic above, governance and transparency, the new cloud will expand the Microsoft Government Security Program (GSP) to critical elements of the cloud offering -- initially with key Azure infrastructure components -- in order to increase cloud transparency.

"The GSP provides participants with the confidential security information and resources they need to trust Microsoft's products and services," Sanders said. "GSP participants currently include over 45 countries and international organizations represented by more than 90 agencies. Eligible participants receive controlled access to source code, engage on technical content about Microsoft's products and services, and have access to five globally distributed Transparency Centers. Microsoft Cloud for Sovereignty will also enable audit rights to examine Azure's compliance processes and evidence under non-disclosure agreements and available audit terms."

The Microsoft Cloud for Sovereignty is being rolled out in a private preview across select locations, with more details to come.