By Michael Brown, VP Analyst at Gartner
Governments are becoming increasingly aware of and concerned about their dependence on foreign cloud infrastructure providers. Reasons for this are tighter privacy and data protection regulations, potential intergovernmental overreach, and populist-driven renationalization of trade markets and business.
Globally, many countries are pursuing sovereign cloud goals to limit the exposure of their data and infrastructure to external actors and foreign governments. Gartner predicts that by 2026, cloud service providers (CSPs) in more than 50 countries will be involved in domestic sovereign cloud initiatives, a significant increase compared to 2022.
Sovereign cloud is the provision of cloud services — within a jurisdiction meeting data residency requirements and operational autonomy — that ensures that data and infrastructure are free from control by external actors and protected from foreign government access.
Rising Popularity of Sovereign Cloud
Policymakers are keen to restate the supremacy of national law governing the use and protection of data. This has resulted in demands for sovereign cloud services, stipulating greater control over data sovereignty, data residency and, where possible, digital sovereignty. A factor for some governments is unease over the potential impact of the U.S. CLOUD Act and its potential conflict with national legislation. Furthermore, the desire to ensure sovereignty also reflects the increased privacy legislation that many governments have enacted or are considering.
Data residency has also become strategically important to many countries that fear being isolated from other countries and vendors supplying services, perhaps by the severing of subsea cable infrastructure. Having data and services in-country, mitigates the nonavailability risk.
Cloud Sovereignty Implications and the Role of Government CIOs
It must be recognized that in achieving a sovereign cloud solution, overall functionality (including security functionality) may well be compromised. It is important to remember that sovereignty does not automatically equate to greater security if, for instance, the capabilities and technologies used in delivering a sovereign solution are not as sophisticated as those available elsewhere.
The pursuit of sovereign clouds is leading to a fragmented and confusing market. Vendors attempt to keep pace with shifting demand signals and increasing use of value-laden terms such as ‘trusted’. In response, new partnerships are expected to be formed between nondomestic cloud providers and local (in-country) technology providers. However, the arrangements are complex to enact, and the first of such actual services likely to be offered by these partnerships will be available in 2024.
Governments apply legislative mandates to limit the ability of nondomestic vendor services to be used. These are impacting buying and investment decisions, with delays to modernization plans occurring as government agencies await the response from the hyperscale partnerships with the anticipation that, at some near point, they can have access to the desired capabilities.
Overall, government CIOs who want to be involved in sovereign domestic cloud initiatives will first need to evaluate their business functionality and compliance needs of sovereignty and compare them to government community cloud services, hyperscalers’ offerings, and their local cloud service providers’ offerings. The CIOs also need to monitor how hyperscalers are addressing evolving government requirements as well as determine if they have access to sufficient levels of talent to adequately resource open-source-driven initiatives. Gartner analysts will further discuss this topic during Gartner IT Symposium/Xpo, the world’s most important conference for CIOs and other IT executives.