In 2019, the Confidential Computing Consortium was formed by 10 major tech companies including Microsoft, Intel and Google. The consortium brings hardware vendors, cloud providers and software developers together to accelerate the adoption of Trusted Execution Environment technologies and standards. Part of this includes the creation of a sovereign cloud. Philip Van de Vyver works as a Cloud Solutions Architect at Arxus, and explains in this blog why cloud sovereignty may become the standard for businesses in the future.
Cloud sovereignty currently targets primarily public companies or organisations that want to be more committed to regulation and security. They are looking for a cloud environment that puts security first, and where compliance with security and policy requirements is key. Something the public cloud currently cannot provide. By establishing a sovereign cloud, Microsoft can set its own parameters that the cloud must meet, ensuring the most optimal level in terms of security.
A first parameter for cloud sovereignty is data residency. Through various policies in Microsoft Azure, you can determine where your data ends up. For public companies in the European Union, it is often agreed that their data cannot leave the EU. But you can go even further as a company. Since 2021, Microsoft has been building 3 data centres in Belgium as part of their Digital AmBEtion plan. So in the future, organisations will also be able to store their data in their own country.
Many public companies or organisations that have confidential data currently still operate on premise to ensure that no one can access their data. In the sovereign cloud, all data is encrypted, enabling a transition to the cloud. This also makes the system ideal for organisations that have central processing of data without being able to see personally identifiable information (PII) themselves. Consider, for example, of banks or medical institutions that often use this kind of confidential data.
On top of the existing set of security and policy requirements you can put in place to achieve a sovereign cloud, you have additional services you can implement to make your applications confidential. Microsoft has launched its own Azure Confidential Services for this purpose. These include an Azure Key Vault Managed HSM, Azure Confidential Ledger and Microsoft Azure Attestation.
In addition to Azure Confidential Services, you also have Azure Confidential Compute options. These are the classic Virtual Machines (VMs) with memory encryption, integrity and CPU confidentiality, integrity and attestation. For this, a special partnership has been set up with AMD and Intel in Azure. AMD VMs use AMD SEV-SNP where you can deliver a fully encrypted machine through hardware encryption. Intel SGX machines can be used to provide "Secure enclaves" for application development, where a piece of memory can be secured with hardware encryption.
Furthermore, you also have application development with Trusted Execution Environments (TEEs), where an attestation service says whether an execution environment is trusted or not. This service uses Intel SGX technology and is made available via an "SGX enclave" where 'data in use' is also encrypted. The applications required for this must be written by a third party. For this, we at Arxus can rely on CloudFuel. They focus on app modernisation and development within Microsoft environments.
To set up a sovereign cloud for your organisation, you first define the framework within which your organisation can implement a cloud migration efficiently and in a controlled manner. You do that by defining and mandating, along with a set of confidential components, a set of security and policy requirements.
So to set up a sovereign cloud for your organisation, an analysis is first made with the requirements that need to be met. Based on that analysis, the landing zone can be worked out. Since every organisation has its own set of requirements, this is a tailor-made project and follows your company's internal governance. Organisations that wish to do so can further have their cloud environment set up by us, or use our managed services afterwards.
Currently, cloud sovereignty is still in its infancy, specifically targeting public companies or organisations that often manage sensitive data. In time, however, the technology is expected to become the standard in business. So smaller companies may also start working this way in the future.
Still have questions about cloud sovereignty, or want to get started with it yourself?