Arxus Blog
|
Cloud sovereignty puts security and policy requirements at its core

In 2019, the Confidential Computing Consortium was formed by 10 major tech companies including Microsoft, Intel and Google. The consortium brings hardware vendors, cloud providers and software developers together to accelerate the adoption of Trusted Execution Environment technologies and standards. Part of this includes the creation of a sovereign cloud. Philip Van de Vyver works as a Cloud Solutions Architect at Arxus, and explains in this blog why cloud sovereignty may become the standard for businesses in the future. 

Cloud sovereignty currently targets primarily public companies or organisations that want to be more committed to regulation and security. They are looking for a cloud environment that puts security first, and where compliance with security and policy requirements is key. Something the public cloud currently cannot provide. By establishing a sovereign cloud, Microsoft can set its own parameters that the cloud must meet, ensuring the most optimal level in terms of security. 

A first parameter for cloud sovereignty is data residency. Through various policies in Microsoft Azure, you can determine where your data ends up. For public companies in the European Union, it is often agreed that their data cannot leave the EU. But you can go even further as a company. Since 2021, Microsoft has been building 3 data centres in Belgium as part of their Digital AmBEtion plan. So in the future, organisations will also be able to store their data in their own country.  

Many public companies or organisations that have confidential data currently still operate on premise to ensure that no one can access their data. In the sovereign cloud, all data is encrypted, enabling a transition to the cloud. This also makes the system ideal for organisations that have central processing of data without being able to see personally identifiable information (PII) themselves. Consider, for example, of banks or medical institutions that often use this kind of confidential data.  

Confidential services

On top of the existing set of security and policy requirements you can put in place to achieve a sovereign cloud, you have additional services you can implement to make your applications confidential. Microsoft has launched its own Azure Confidential Services for this purpose. These include an Azure Key Vault Managed HSM, Azure Confidential Ledger and Microsoft Azure Attestation.  

In addition to Azure Confidential Services, you also have Azure Confidential Compute options. These are the classic Virtual Machines (VMs) with memory encryption, integrity and CPU confidentiality, integrity and attestation. For this, a special partnership has been set up with AMD and Intel in Azure. AMD VMs use AMD SEV-SNP where you can deliver a fully encrypted machine through hardware encryption. Intel SGX machines can be used to provide "Secure enclaves" for application development, where a piece of memory can be secured with hardware encryption. 

Furthermore, you also have application development with Trusted Execution Environments (TEEs), where an attestation service says whether an execution environment is trusted or not. This service uses Intel SGX technology and is made available via an "SGX enclave" where 'data in use' is also encrypted. The applications required for this must be written by a third party. For this, we at Arxus can rely on CloudFuel. They focus on app modernisation and development within Microsoft environments. 

Setting up your sovereign cloud

To set up a sovereign cloud for your organisation, you first define the framework within which your organisation can implement a cloud migration efficiently and in a controlled manner. You do that by defining and mandating, along with a set of confidential components, a set of security and policy requirements.   

So to set up a sovereign cloud for your organisation, an analysis is first made with the requirements that need to be met. Based on that analysis, the landing zone can be worked out. Since every organisation has its own set of requirements, this is a tailor-made project and follows your company's internal governance. Organisations that wish to do so can further have their cloud environment set up by us, or use our managed services afterwards.  

Currently, cloud sovereignty is still in its infancy, specifically targeting public companies or organisations that often manage sensitive data. In time, however, the technology is expected to become the standard in business. So smaller companies may also start working this way in the future.  

Still have questions about cloud sovereignty, or want to get started with it yourself?

Contact us

Related Posts

4 steps to improve your Azure Cost Management

Cost efficiency is the crux of every successful business. And managing your Azure expenses might definitely seem difficult at first glance. But it doesn’t have to be. Because with some simple tricks, you can learn to optimize your Azure consumption effectively. And we can teach you how to become an

Arxus Teams Voice: what are the benefits?

More and more organizations are making the shift to cloud telephony. And there are several reasons for that: from lower maintenance costs to improved scalability and higher user-friendliness. But as a Cloud Solution Provider, we can go even further. Tim Peeters, our Teams Voice Specialist, tells

Arxus brings Azure expertise to a new office in Kortrijk

We’re extremely excited the opening of our new office in Kortrijk.This not only enhances our service to local customers but also caters to the growing demand for Azure expertise in (West) Flanders.Under the roof of Cronos aan de Leie, we have the opportunity tocollaborate with Noest (once again),