Most IT leaders now accept that running distributed workloads across multiple clouds, on-premises and at the edge is a part of their immediate and long-term future.

They also recognise that this approach will require nuanced decision-making about where data and applications should sit – and the service, operations and tooling to enable and support it.

However, data sovereignty regulations are tightening as data flows freely to power digitalisation.

Organisations must consider this and plan to adapt their infrastructure and operations to how they use and manage data – while complying with laws and regulations that differ from region to region.

In our recent global research study, 91% of business and IT leaders said improving data security and data sovereignty was a likely technical reason for upgrading their IT and network infrastructure. 

So, what do organisations need to know about data sovereignty before they upgrade their infrastructure?

Defining ‘data sovereignty’ can be complex because there isn’t one agreed definition. However, a useful summary is: ‘the extent to which data is subject to the laws of a country, no matter where the data is stored’.

This covers the fact that some countries require that data and cloud services remain off-limits to foreign actors, companies or governments. Many require that employees and companies who manage and monitor cloud resources must also be citizens of the home country and, in some cases, have a level of security vetting.

Some countries require that critical data relating to citizens and governmental processes be stored and processed within their borders. Some prohibit data transfer across borders – even when the origination point and destination are in-country.

At least 75% of all countries have implemented some form of regulation around data sovereignty/localisation¹, so compliance is an increasingly important issue for organisations and their infrastructure. Will organisations have to revert to building standalone clouds for every jurisdiction?

By differentiating their commercial offer, organisations get creative and turn data security on its head – from a problem into a business opportunity.

When infrastructure that can operate efficiently with any data sovereignty and security regulation is built, organisations can meet detailed compliance requirements that are becoming common in procurement processes. Such a proactive approach to sovereign data can boost competitiveness across industry sectors.

Frequently, organisations go on an evolutionary journey from a standard public cloud to a trusted cloud. (A trusted cloud is where the provider ensures compliance with local and international laws when processing individual data). Then, they move to a controlled cloud (where an organisation uses a trusted third-party supplier to manage it).

However, even in a controlled cloud where the data is encrypted, metadata viewed from an administrator console on a public cloud platform could still hold proprietary information, contravening data sovereignty rules.

To protect against this, some organisations adopt a fully standalone sovereign cloud that keeps all data and metadata on sovereign soil and prevents foreign access to data under any circumstance. It provides a trusted environment for storing and processing data that can never be transferred across borders.

This is secure and meets even the most robust data sovereignty requirements. However, it can get expensive since it takes a round-the-clock team to run each area – and once the costs are multiplied across every operating region, the sums involved become astronomical. What’s more, standalone sovereign clouds are unlikely to tap into the global scale and speed of innovation available to public cloud, holding organisations back.

Is it possible to have the best of both worlds – a cost-effective, flexible, innovative cloud infrastructure that can comply with various data sovereignty regulations?

A distributed cloud is an architecture where multiple clouds are used to meet compliance needs and performance requirements – or support edge computing while being centrally managed by a trusted partner working directly with the public cloud provider.

At its core, a distributed cloud service runs in multiple locations – on the provider’s infrastructure, the customer’s data centre or edge, another cloud provider’s data centre, or on third-party or colocated hardware.

To power this solution from a commercially and operationally efficient perspective, IT leaders need to ensure that their network infrastructure provides compatibility with other cloud infrastructures. They must ensure it’s cloud-centric, provides interoperability, and smoothens the path for data exchange in a way that doesn’t lead to excessive egress, bandwidth charges or resource-heavy API integration.

While data sovereignty regulations state that data can’t be moved to a public cloud provider, a managed distributed cloud can be moved to the data effectively. This complies with all governance and regulatory mandates and means data can be processed efficiently with the minimum latency. It’s a win-win.

As organisations face immense changes in data security, privacy and access, their infrastructure must be ready.

To find out what this means for your organisation’s infrastructure development priorities, download our whitepaper, ‘The future of infrastructure and connectivity in a cloud-centric world’.

1. McKinsey & Company (20227) Data localization and new competitive opportunities.