One of the words I have been hearing and seeing more and more is digital sovereignty or sovereign cloud. It was also buzzing (not as much as AI) around Gartner IT/Xpo in November last year. And that is not only because I have been working on this concept for a few months (there is a human bias that when you are interested in for example a new car, you start to notice that model more frequently).
There are a number of good reasons why you might have heard more about it. In this post, I’m reflecting on what I’ve learned and sharing my view on the terms and what’s going on.
What is sovereignty?
First of all, the term sovereignty is something not common in IT. Oxford’s reference defines it as:
“A supreme authority over a political body, usually the territory of a *state and its resident population. Sovereignty is a legal and political concept.”
That doesn’t help much (yet), how does a territory or legal concept apply to IT. Well, the Oxford dictionary has a shorter but quite succinct explanation: “supreme power or authority”.
That helps more. So Digital Sovereignty means that supreme power or authority on digital stuff, like having the supreme authority or power (control) over the data you own.
That makes sense. As anyone has some digital data, you want to have supreme control over it. In other words, you and only you decide what happens with the data (obviously within the limits of the laws where you live, which is an important cause for digital sovereignty.
What is cloud?
Cloud is another ballgame. So many things have already been written about cloud and what cloud is, that getting a clean definition might be difficult. But to be honest, the definition that NIST introduced in 2011 is one that I like:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models”
This is of course a very formal definition, but what it means is that Cloud isn’t a technology, it is a model, or actually it is a model to deliver IT technology as a service, on-demand. So every flavour of cloud or term just means that it is a service where you can get IT functionality on demand.
And that makes sense. Even today, 2025, this definition is still valid, with all the 5000+ services the big cloud providers deliver, or the many Software-as-a-Service solutions that are out there.
Definition of Sovereign cloud
So the definition of Sovereign Cloud is the service model or concept where you as a consumer of a cloud service have full authority and control of those services. Now that is nifty. And that is exactly why this term is booming. I will give a few reasons that are the drivers behind this term.
- First reason might not seem to be clear, but as the world is changing, the rules & regulations of each country or economic area are changing. An App might be available in the one but must be blocked by the other. The use of meta-data could be allowed in one country but is prohibited (Judges made rulings) in another. In other words, companies operating worldwide (like Uber, NetFlix, Booking.com, etc) need to comply with local rules. And that means that even though their application is provided worldwide, the way the data is handled is governed by local law, and must be shown to the local authorities that they are compliant with those rules.
- Another reason is that the concern of privacy and how data is misused (several examples like LinkedIn, Meta, and X that used data and private messages without their consent) result in a need to have more control over what happens with the data you place on let’s say a cloud provider.
- Security is another reason; data leaks are never good publicity. Companies want to know what happens with the data they store somewhere and want more control over the security and safety of that data. Losing an Intellectual Property is not something a company wants.
- Last but not least, geopolitical tension over the past years has resulted in big organizations seeing risks in what happening in the political world. They see a risk that data might be of interest for a government and that data might be handed over without (or afterward) consent of the company.
In summary, there is a need to have complete control over the data and information stored and used in the many cloud services provided worldwide.
The question is how can that control be organized and guaranteed, because sovereign means ultimate control, and not a bit. Several models are out there that provide a first glimps in the model to come. I will add my two cents to the dicussion.
Generic Cloud Model
There are several models out there, but they all seem to have a common set of concepts. Let’s start with how a cloud service actually works. I’ve taken IAAS as an example, but in general the building blocks are similar.
When you move through the model from the bottom to the top, several components are identified.
Shared IT Components
In this model, the cloud provider owns (or controls) all the IT techhnology components and provides services on top of that. It is the bottom layer with all the equipment like servers, network infrastructure, storage boxes and of course firewalls. It is the foundation of the model.
Cloud Control Software
The available services are defined, orchestrated and managed via Cloud Control Software. That software provisions, removes, and runs the consumed services on the hardware. With of course appropriate isolation and analytics (it looks a lot like Intent Based Networking).
Service Layer
On top of the cloud control software there is a service abstraction layer. That is the layer where the consumer can request, configure and destroy services for their environment. The service layer is your customer portal, often with API functionaltiy for automation.
Customer
The customer block is an area of reservation (often logical, but sometimes includes physical) of resources from the Shared IT Components. It allows of running environments of different customers side by side without interference. This is often called a tenant, like a tenant who rents an appartment in a building.
Customer Consumed IT Components
These are all the resources or services consumed by the customer from the provider; it consists of data (information is always stored), compute, networking, security and other infra services that the provider provides.
Workloads
Customers define workloads within their isolated environment. Workloads are comprised of a specific mix of the consumed IT components, with specifications, including options, flavors and the pricing from the provider. Workloads can be an application, a desktop, a website, or a data reporting environment, or something else.
Users/Teams
In the model there are a few types of users or teams too.
Enduser
The enduser consumes the provided workloads. This could be internal users of the customer, but also the customers of the customer, and so on.
Customer IT
The Customer IT team is responsible for running & operationg the customer workloads. It could have their own development teams, but not necessarily.
Provider Ops
Provider Ops is the team within the provider that run the IT platform; they make sure all equipment is available and that the cloud control software and service layer are running with the latest version and are secure.
Provider Build
The build team is the one building the cloud control software and service layer software for the provider. They don’t manage it, but they make the software necessary to run platforms.
Sovereign Cloud model
This generic cloud model is important to know / understand because it helps in answering the question to what a sovereign cloud model is. Because sovereignty is about control/authority, the key question is where can control be applied in the above model. The consensus is that there are three levels (or types) of sovereign cloud.
Level 1: Data-sovereignty
The first level is data-sovereignty. It means that the customer exerts complete control over the data that is stored at the cloud provider. This is often achieved by introducing encryption of the data, where the customer provides the keys to the provider which are used to encrypt. This can be done digitally (but dangerous), but also key management hardware can be placed physically at the cloud provider.
The result of level1 is that all data can only be decrypted by those that have the keys, which is the customer. Nobody else has access to the decrypted data.
That seems good, but there are techniques available where it is possible to get to the decrypted data in-memory, or do a brute-force to try to decrypt the data. So the control is not complete.
But it could be enough, based on your identified risks and mitigations.
Level 2: Location / technology sovereignty
The next level in sovereignty is location. Instead of relying on the datacenters of the provider, the customer places their own equipment in a physical datacenter in the country where the customer wants to reside. It means the customer has control not only over the data, but also which type of hardware (eg technology) is used. Literally a piece of the cloud provider’s platform is installed on a secure location and the customer’s workloads are running from that environment.
This is a higher level of control, as the customer is now responsible for the IT hardware. The customer will have a field team that is responsible for managing and updating the physical hardware.
Level 3: Operational sovereignty
The next level of sovereignty is Operational sovereignty. At this level, the cloud control software running on the customer’s location is operated and managed by the staff of the provider, but it is managed and operated by a team of the customer. In other words, the customer becomes responsible for runing, maintaining and updating the software.
The control is higher because now all staff, including those that run the cloud control software, need to comply with local regulations too. And suppose that the cloud provider stops in a country, the current version of the cloud software can still be run.
Level 4: Run your own
To be honest, this level is very theoretical, but it is possible to build and manage your own stack, but that will take a lot of effort, time and a dedicated team. That costs a lof of money & resources and is not a viable setup. But at this level, the customer is becoming the cloud provider itself, and has everything under their own control. You could argue that could include hardware too, but as I said, this is a theoratical and not realistic level.
The models I’ve seen so far are all reflecting these levels in one or the other way. Several cloud providers provide one or two sovereign cloud solutions that find their way into these levels. In the coming months I will be researching what options there are. And if I can, I will try to share my insights about that too.
My take
At Gartner IT/Xpo it was mentioned (and it is in a document that I cannot share) that sovereign cloud is within the hype cycle in the innovation trigger. In other words, the concept isn’t clear yet, but you do see many companies and organizations claim that they provide sovereign cloud in one way or the other. Marketing will be taking over the concept until it moves pass the “trough of desillusion” and becomes stable and clear concept (it’s not a technology).
And as there is no consensus, be aware of overselling, and ask good in-depth questions on how they can guarantee you having all the controls, and validate their answers when talking with these providers. And of course do a proper risk analysis to really check if the offer is clear and in line with what you need.
2 Responses
interesting piece pieter
can I have a meeting with you about this topic
Hello Harm,
Of course! Let’s either meet up at CiscoLive next week (I will be in the area from monday till wednesday, or otherwise afterwards..