We are seeing today’s enterprises face a daunting challenge as they navigate how to best manage the rapidly growing stores of data associated with deploying AI, while also staying ahead of their evolving regulatory environments across the globe. Although this data can be crucial to enabling generative AI – which offers the potential to help businesses stay on top of market trends, meet shifting customer demands, deploy game-changing innovations and more – we believe enterprises must first consider where the data resides, where it is transferred to, and who has control over it.
As enterprises consider existing and emerging data requirements, we have seen the need for data sovereignty grow to become a significant priority across all industries, particularly for those in highly regulated sectors that handle sensitive data such as financial services, healthcare, telco and government. As organizations are tasked with keeping data secured and within certain countries or jurisdictions, adopting a sovereign cloud approach – a cloud operating model designed to help organizations meet their legal, regulatory, and operational requirements in a given jurisdiction – can help. To comply with their data sovereignty requirements, enterprises can look to a computing environment that enables them to keep data secured and to store data in the location of their choice.
Driven by the requirement to comply with such laws, it can be expected that global sovereign cloud spending will rise significantly in the coming years. Whether businesses are looking to meet existing or emerging legislation governing the use of cloud-based data services, we believe the message is clear: governing bodies are looking for enterprises to ensure security and trust are at the center of IT decision-making where data, workloads, and applications reside – and sovereign cloud can help.
General Manager for IBM Cloud Product and Industry Platforms.
Addressing shifting regulations and new demands for reducing risk
Mitigating various types of risk can be considered a key component in building a strong approach to sovereign cloud. Within the past few years, we have seen regulators take a closer look at cloud usage in particular – especially around cloud concentration risk. Because cloud computing regulation and governance varies globally across regions and jurisdictions, it can be challenging for enterprises to track their changing compliance requirements. However, regulations can be viewed as essential for driving secured innovation, as many laws are designed to help assure consumers and enterprises that data is protected at all times.
For example, the U.S. Department of Treasury issued a report last year highlighting considerations financial services organizations can evaluate when working with a cloud provider. It can be viewed that the report points to the importance of adopting a hybrid multicloud approach to enable operational resilience and emphasizes how working with a trusted cloud provider can help enterprises operate in a safe, secure and compliant manner. Building on this, just in the last few weeks, the U.S. Department of Treasury issued another report which is focused on managing artificial intelligence-specific cybersecurity risks in the financial sector. The report mentions that rapid advancements in generative AI have exposed the importance of carefully monitoring data supply chains to ensure that models are using accurate and reliable data, and that privacy and safety are considered. In the report, the U.S. Department of Treasury examines best practices for data supply chain mapping and nutrition labels that have the potential to help identify what data is used to train models, where the data originates from, and how any data submitted to the model is being used.
Coupled with existing laws including the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act, the European Union’s General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA) in the EU and proposed laws such as the European Union Cybersecurity Scheme for Cloud Services (EUCS), we believe these regulations and guidance reinforce the idea of a sovereign cloud approach.
The role of cloud in helping enterprises enable data sovereignty
A sovereign cloud approach can offer businesses the ability to exercise control, make decisions and enforce legal and regulatory obligations related to data, regardless of its physical location. When adopting a sovereign cloud model, businesses can look to cloud providers that offer the flexibility of choosing the country or regions where they want to build and host their workloads to help them address their unique requirements.
In addition to having control over where workloads are located, we believe it is critical for enterprises to also consider how data privacy capabilities can help them keep data secured across environments. Capabilities such as confidential computing, encryption, and key management controls can be crucial parts of a strong sovereign cloud strategy that aims to enable enterprises to meet their data privacy requirements. Confidential computing technology, for example, is designed to isolate sensitive data – which might include personal identifiable information, intellectual property, or healthcare records – helping to make it accessible only to authorized programming codes. Similarly, encryption and key management capabilities can enable enterprises to not only have exclusive control of encryption keys, but also to manage them from once central location, helping them address even the strictest of their security compliance requirements.
As organizations look to cloud providers to deliver capabilities such as confidential computing, we believe it is key to select a provider whose focus is on trust – ensuring not even the cloud provider can access data.
Shared responsibility between cloud providers, regulators, and enterprises
We expect that sovereign cloud will continue to be a focus in the coming years, and that cloud providers will play a key role in helping enterprises meet their data sovereignty requirements, keep data secured and address unique country requirements. However, we firmly believe it’s critical for enterprises to first understand the various pieces that can fall under sovereignty requirements, and then to work closely with a cloud service provider that can help them as they address their regulatory obligations.
This can be viewed as a pivotal moment in technology – one in which all of us including regulators, cloud providers and enterprises – can collaborate and work together to help ensure data remains secured and protected.
We've featured the best collaboration tool.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
