Home Posts tagged sovereignty

Tag: sovereignty

Posted on Posted in Digital transformation, General topics Tagged with , , , , , ,

Continuing with current cloud adoption plans is a risky strategy because the challenges of managing and securing sensitive data are growing. Businesses cannot afford to maintain this status quo amid rising sovereignty concerns.

Some 90% of organisations in Europe and 88% in the Middle East, Turkey, and Africa (META) now use cloud technology, which is a keystone for digital transformation – according to an IDC InfoBrief, sponsored by VMware. As it becomes a dominant IT operating model, critical data is finding its way into the cloud. Almost 50% of European companies are putting classified data in the public cloud.

While private on-prem cloud remains an organisation’s primary cloud environment for storing high-sensitivity data, 23% of those surveyed chose public cloud for this data class. Some 32% of companies use global public cloud providers to store confidential data.

Rising volumes of sensitive data in public cloud make sovereignty an imperative

Organisations are starting to value strategic autonomy to ensure resilience amid growing geopolitical and economic uncertainties. Digital sovereignty starts with data sovereignty, which forms the legal basis for organisations to ensure regulatory compliance. Data sovereignty is about making sure that data is subject to the laws and governance structures of the country it belongs to. With a large amount of sensitive data now hosted in cloud, sovereignty should influence an organisation’s future cloud strategy. This is becoming a priority as sensitive data volumes are growing exponentially.

The importance of sovereignty for EMEA organisations

The only option for customers to get sovereign cloud security is to engage with cloud providers which are well positioned in local markets.

Drivers for considering sovereignty:

Relevance of data sovereignty cited as “very important” or “extremely important” by 88% of very large organisations (5,000 FTEs) and 63% of all EMEA organisations.

In Europe, organisations are driven by the need for continuous compliance, regulations, and legal obligations.

In META, organisations are driven by the introduction of internal/corporate policies.

Business drivers for data sovereignty:

Customer expectations about privacy and confidentiality

Need to protect future investments in data

Continued macroeconomic volatility, ambiguity, and uncertainties are heightening interest in sovereign solutions

Protection against future EU ruling that could impact your business

How VMware can help

Sovereign Cloud is all about choice and control. VMware’s offering addresses the strategic imperatives for data sovereignty on data security, protection, residency, interoperability, and portability: 

Leveraging the VMware Multicloud Foundation 

Innovating on sovereign capabilities (Tanzu, Aria, open ecosystem solutions) 

Leveraging a broad ecosystem of sovereign cloud providers 

VMware is well recognised on trust and on several capabilities for data sovereignty needs: flexibility and choice/data security and privacy/control of data access/multicloud/ data residency. It is already deployed with more than 20 Sovereign Cloud Providers. 

Laurent Allard, Head of Sovereign Cloud, VMware, says: “To ensure success in their sovereign journey, organisations must work with partners they trust and that are capable of hosting authentic and autonomous sovereign cloud platforms. VMware Cloud Providers recognised within the VMware Sovereign Cloud initiative commit to designing and operating cloud solutions based on modern, software defined architectures that embody key principles and best practices for data sovereignty. More than 36 global and 14 EU VMware Sovereign Cloud Partners can deliver to customers cloud services in alignment with security and local regulations, while enabling sovereign innovation.”

To read the full InfoBrief click here. Find out more about VMware’s Sovereign Cloud here.

Cloud Management, Cloud Security, Data Management, Data Privacy

Posted on Posted in Digital transformation, General topics Tagged with , , , , , ,

More countries are adopting laws designed to protect the privacy of citizens and local entities by defining how data can be securely collected, stored, and used. Many organisations are re-evaluating how to comply with the changing geo-political landscape and privacy/security regulations, which requires defining some relevant concepts:

Digital sovereignty – the ability to have full control over your own digital destiny – the data, hardware, and software that you rely on and create1…in other words individuals owning their own data and controlling it’s use.

Data residency – the physical and geographic location where data and meta-data is stored and processed.

Data sovereignty – data is subject to the privacy laws and governance structures within the nation or jurisdiction where data is collected, stored, processed, and used.

Jurisdiction – a legal authority over data centers and clouds aligned to national standards and supported by national government.

Data sovereignty laws are designed to protect the personal data of citizens or residents by controlling who can potentially have access. This keeps any sensitive data out of the hands of other countries and jurisdictions.

For example, the New York Times reports an executive order is in progress that is meant to prevent countries like China from gaining access to US data. Two other countries require that data on their citizens remain only within national borders.

To ensure data sovereignty, rules may require that all related data, such as metadata, also resides locally. But location of data alone isn’t enough to ensure that data is only subject to the local legal jurisdiction. Enterprises especially operating outside of the US in EU and other regions, are extremely concerned about the authority of the US Cloud Act. The 2018 US Cloyd Act allows US federal law enforcement to compel US-based technology companies to provide requested data stored on company servers, regardless of whether the data is stored in the US or on foreign soil.

That means complying with data sovereignty laws while using a US-based public cloud provider for sensitive data might not be possible or suitable to comply with local jurisdictional requirements. The Centre for European Policy Studies (CEPS) estimated that 92% of the Western world’s data is currently stored in the US and over 100 countries now have data sovereignty laws.

The European Union’s General Data Protection Regulation (GDPR) has inspired similar regulations in other jurisdictions. GDPR requires all businesses who operate in or have customers in the EU to change how they collect, handle, and store personal data.

With the ever-changing landscape of data protection laws, the increased risk of data breaches and evolving attack vectors there is growing concern about sensitive national, corporate, and personal data being subject to the control of foreign authorities and companies.

Organisations that run afoul of these laws risk fines or lawsuits. As of May 2022, over 900 fines have been issued for GDPR violations, the largest of which topped $877m (€746m).  The penalty for noncompliance can be steep, with fines of up to €20m (or 4% of worldwide turnover from the prior financial year).

Alongside protecting the way in which personal data is secured and used, many data sovereignty laws also restrict where data can go. For example, lawmakers in India are debating what types of citizen data are allowed to leave the country’s borders. This has caused issues for some multi-national companies who are unable to transmit data outside of a local jurisdictions. It can also impact international trade if data-sharing treaties between countries aren’t negotiated.

The effort to protect data as a new strategic asset is creating a clear need for sovereign clouds to secure and use data sensibly.

Customers want all the benefits of cloud but also need to meet the rapidly growing and changing data privacy laws while organisations need to protect data in the cloud against evolving cyberattacks.

As these laws impact business operations, organisations are seeking better ways to comply with data sovereignty laws and mitigate compliance risks. They need a way to store and process data locally and securely using a platform that is free from outside interference.

As a result of all this, the need for carefully architected sovereign clouds has gone mainstream and VMware is powerfully positioned to expand its multi-cloud strategy with VMware Sovereign Cloud.

The benefits of VMware Sovereign Cloud

A common benefit of sovereign clouds for cloud providers and customers is compliance. Cloud providers can obtain compliance with local regulations and their appropriate jurisdiction through the construction of sovereign clouds. Customers gain the assurance their privacy is maintained, and their data is stored, secured, and protected in their specific jurisdiction, by a partner with oversight and expertise in local laws and regulations.

Sovereign cloud providers can also accelerate local business growth by securely expanding into government data and developing a national capability for digital infrastructure and resilience. As the data economy becomes a vital national interest, sovereign states need a digital capability that prevents them from becoming dependent on foreign powers and operators for processing their own data.

VMware Sovereign Cloud providers can help customers fully unlock the true value of protecting their national, corporate, and personal data by ensuring:

ALL data (customer data and meta data) remains on sovereign soil

Compliance with established and constantly changing privacy laws

Autonomy with digital suppliers to guarantee continuity of digital services

All customer information is being managed appropriately with prevention from foreign access

VMware Sovereign Cloud providers offer a cloud service that is designed specifically to meet data sovereignty requirements. It provides flexibility and scale for data storage and processing while complying with residency and sovereignty requirements.

Find out more with the Sovereign Cloud Solution Brief or locate a VMware Sovereign Cloud provider today.

Cloud Management, Cloud Security, Data Management, Data Privacy, VMware

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , , ,

The IT industry has recently seen some interesting activity from global hyperscale cloud providers surrounding their cloud sovereignty ambitions, and their scrutiny by the regulators covering some basics compliance requirements, like the European Union’s (EU) General Data Protection Regulation (GDPR).

Firstly, AWS made a public pledge called the “AWS Digital Sovereignty Pledge”, consisting of a commitment to provide “the most advanced set of sovereignty controls and features available in the cloud”. After Google’s cooperation with T-Systems and the “Delos” offer from Microsoft, SAP, and Arvato, AWS now follows suit. These initiatives reinforce the growing potential of sovereign cloud services in a world increasingly dominated by questions of cloud choice and control, and complex compliance requirements.

So, what does a pledge mean? The dictionary defines this as a “solemn promise” – which would reasonably beg the question: isn’t this an admission there is little sovereignty in the offering today? Otherwise, why would it be a pledge? A pledge is forward-looking, something that has not been performed or delivered yet. Also, shouldn’t an announcement like this ideally be backed up with a roadmap? Where is the guarantee that items in this pledge will be fulfilled? Instead, AWS mentions what the pledge will generally cover: control over the location of your data, verifiable control over data access, the ability to encrypt everything everywhere, and the resilience of their cloud. The pledge sounds excellent, but does it meet the minimum standards of most data sovereignty requirements worldwide? It appears, from the general language, that none of it addresses the critical concerns around hyperscale usage, jurisdictional control, legal rights to access the data, and complying with sovereign data requirements that require protection from the US Cloud Act or Section 702 of the US Foreign Intelligence Surveillance Act (FISA).

Secondly, Microsoft has run aground in Germany with Office 365 reportedly not complying with GDPR. GDPR is 4+ years old and is a huge issue that most companies have joined in the rush not to be penalised by the EU. With Germany’s federal and state data protection authorities (DSK) raising concerns about the compatibility of 365 with data protection laws in Germany and the wider EU, it makes you wonder how other companies may also be falling short in their obligations to protect EU customers’ data.

Also, how many other regulatory requirements (such as data sovereignty requirements) that global public cloud providers believe they comply with are prone to be scrutinised by the regulators? This news, of course, is food for thought. Microsoft has denied that this is correct and issued a statement asking for more clarification regarding the view that DSK has. IT executives should therefore take this news as a noteworthy case study to fuel the decisions of their cloud choice, as regulatory requirements concerning data sovereignty are much more complex and niche to comply with than GDRP.

All these issues and many more are putting US and global hyperscale cloud providers in a precarious position when operating a sovereign cloud or other regulated cloud solution, in jurisdictions such the EU, where they must adhere to the EU’s GDPR and US legislation. Indeed, it puts the EU in a precarious position as well, given that 72% of the European cloud market spend was aligned with AWS, Microsoft, and Google in Q2 2022.

The EU wants a fair market and a protected European cloud without compromising cloud functionality. However, continued investment by customers in US hyperscale and continual investment in the region of $4bn in US hyperscale organisations into expansion means that no European cloud company will ever seriously challenge this market today. The EU certainly has a quandary: on the one hand, enforcing sovereignty would mean no foreign clouds could be used, which would severely damage the EU cloud market; and on the other hand, how to legislate enough to maintain a level of sovereignty that doesn’t exclude foreign providers with some level of external jurisdictional control? It seems that for the foreseeable future, there will be little answer to this quandary. The most prudent approach to compliance appears to be a national, purpose-built sovereign cloud, using external clouds when your data classification meets the needs of unregulated or non-sovereign environments – this seems to be cloud smart!

European cloud providers tend to be more specialised in their services, with nearly all providing managed services, something not found directly in the major US hyperscale cloud provider offerings. I believe this is a good thing. VMware has consistently stated that the future of a well-run cloud-smart IT strategy is multi-cloud and hybrid cloud and that being cloud-smart means we cannot ignore hyperscale offerings. We need them, especially as there are significant innovations and market-leading scalability in these clouds.

This is where VMware’s strategy is unique: VMware encourages multi-cloud and helps organisations maintain a cloud strategy that avoids lock-in and maintains quality and security while monitoring performance. The VMware Sovereign Cloud initiative provides national and local cloud provider partners the capability to build purpose-built sovereign clouds, including ones that deliver locally specific requirements in areas such as data sovereignty, including data residency and jurisdictional control, data access and integrity, data security and compliance, data independence and mobility, and data innovation and analytics.

The common misunderstanding when considering using a global hyperscale cloud provider as an option for workloads requiring data sovereignty is that there is compliance because the portfolio, data and applications will be limited to only what can be run in a region. This still doesn’t make it sovereign – it is simply a farce. To be clear, physical location (or data residency), while necessary for data sovereignty, does not constitute data sovereignty entirely for almost if not all data sovereignty requirements around the globe.

Data sovereignty requirements are unique to each jurisdiction, but all have many more needs than simple data residency. For example, they all also require jurisdictional control – which cannot be assumed to be met with a data resident cloud, particularly for US or global cloud providers subject to the Cloud Act and FISA ruling. It’s therefore essential to recognise that VMware sovereign cloud providers are independent third-party partners across the globe who also manage extensive portfolios of cloud capabilities. Based on VMware solutions and ecosystem vendors, with tools and competitive advantage (under the current regulatory climate) to be able to provide the highest levels of compliance comfort with data sovereignty requirements and/or other regulations such as GDPR.

getty

So, what is the answer here? VMware’s position has not changed; the usage of “trusted” hyperscale clouds denotes a level of trust whereby data that should be placed in a hyperscale cloud is not top secret or restricted, can be protected (using encryption, bring your own key, confidential computing, or privacy-enhancing compute (PEC)) and should be public—i.e., only low-risk data should be placed in any hyperscale cloud, whether trusted or native. Whilst the battles between the hyperscale clouds continue to attempt to achieve sovereign status in Europe. Across the globe, customers should not wait any longer for a magical one size fits all solution or ever trust that their due diligence of regulatory requirements can be delegated to any vendor. Instead, consider a strategy that utilises the best of all multi-cloud solutions and establishes cloud choices based on data classification, data operations, and risk.

VMware

As the diagram shows, there is increased risk associated with non-sovereign cloud solutions, as jurisdictional control is negated in a trusted or hyperscale public cloud. The volume of data applicable to non-sovereign services that should be considered may be lower when you have conducted a thorough data classification exercise. Remember that a sovereign cloud provider delivers services suited to your vertical, whether government, public sector, financial, or many other verticals, and managed services to help you with your cloud adoption strategy. Some also innovate solutions for secure data exchange to enable monetising your data, a critical component in the growing data market. In addition, VMware Sovereign Cloud Providers may be best suited to support you in managing locally tailored privacy, classifications, and risk analysis, ensuring compliance with the most stringent of standards. As data pertains to personal and non-personal data (think industrial and IoT), a classification exercise will help you understand your risks and how to protect them in alignment with regulatory requirements and mitigate future threats from new data classification standards that are indeed to come.
 
As data markets evolve and data exchange for supply chain and monetisation become a critical component of how we do business, it is essential that the right strategy is decided at day 0 and that the limitations of a cloud choice do not compromise the principles of sovereignty you encompass. Additionally, ensure that the cloud provider you select has the right technology capabilities, security infrastructure, and data governance processes to protect your data, meet compliance standards, and provide a secure platform for your business.

Find your closest VMware Sovereign Cloud provider today

Cloud Management, Cloud Security, Data Management, Data Privacy, VMware

Posted on Posted in Digital transformation, General topics Tagged with , , , , , ,

As recently spotlighted at VMware Explore US, Sovereign Cloud continues to gain momentum.​ Sovereign Cloud business estimated the total addressable market (TAM) will be $60bn by 2025, in no small part due to the rapid increase of data privacy laws (currently 145 countries have data privacy laws) and the complexity of compliance in highly regulated industries.​

As the need to monetise data grows and nations seek to realise the true value of data, VMware is delivering on our sovereign cloud position: sovereign security, sovereign compliance, sovereign control, sovereign autonomy, and sovereign innovation.

Previously, we looked at what data sovereignty is and how it impacts business operations when it comes to personal, sensitive or classified data. Now let’s look at how an organisation can better comply with data sovereignty laws by choosing the right cloud architecture.

Most businesses have moved to cloud computing for at least some of their data. Cloud provides greater flexibility, scale, and computational power than traditional on-premises data centres. While public clouds are popular for their high capacity and low costs, some organisations have started moving data out of them to comply with regulations. Some 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.

Some have moved data back on-premises, whereas others are using a mix of public and private clouds. Ultimately, protecting and realising national data has never been a more important factor in building a cloud. From the combination of increasing country regulations: compliance with the US Cloud Act, EU’s GDPR, China’s Personal Information protection law. With data privacy laws in 132 countries and with an annual increase of ~10%, choosing the right data sovereignty solution has become a hot topic.

To better understand why a business may choose one cloud model over another, let’s look at the common types of cloud architectures:

Public – on-demand computing services and infrastructure managed by a third-party provider and shared with multiple organisations using the public internet. Public clouds are usually multi-tenant, meaning multiple customers share the same server, although it’s partitioned to prevent unauthorised access. Public clouds offer large scale at low cost.

Private – infrastructure is dedicated to a single user organisation. A private cloud can be hosted either in an organisation’s own data centre, at a third-party facility, or via a private cloud provider. Private clouds are generally more secure than public due to limited access and can meet regulatory requirements such as data privacy and sovereignty. However, they require more resources to set up and maintain.

Community – shared cloud that is integrated to connect multiple organisations or employees for collaboration. This can be multiple private clouds connected together to facilitate the exchange of data. These are frequently used by regulated industries where public clouds are not compliant, but they are complicated to set up due to having multiple groups involved.

Government – a type of private or community cloud designed specifically for government bodies to maintain sovereignty and control.

Multi-cloud – using multiple public clouds to take advantage of different features. An organisation may host some services in one cloud and others with a different provider. This model has the highest level of security risk due to the volume of data and access.

Hybrid – a mix of public and private clouds. The term is sometimes also used to refer to a mix of public cloud and on-premises private data centres.

While public clouds are suitable for public information that isn’t subject to data sovereignty laws, a hybrid or other more private solution is needed for overall compliance. Private clouds can meet data sovereignty requirements, but they need dedicated data centres, operated either by the organisation itself or via a provider using dedicated hardware. This can be expensive and time-consuming. The quickest or off the shelf solution may not include the level of security or compliance necessary to be sovereign. Key factors in consideration are jurisdictional control, local oversight, data portability and customisability to name a few.

Sovereign cloud is an option designed specifically to meet data sovereignty requirements. Think of this as a semi-private cloud, combining some of the best features of public and private. They are operated by experienced cloud providers that are smaller, local, multi-tenant operations. A sovereign cloud provides the data sovereignty benefits of a private cloud without the IT headaches.

Sovereign cloud can be used in conjunction with public cloud as part of a hybrid cloud architecture. Data and services subject to data sovereignty laws would live in the sovereign cloud while non-sensitive data and services might live in the public cloud. The exchange of data between these clouds must be carefully controlled to ensure compliance.

When it comes to finding a sovereign cloud provider, customisability, flexibility and frictionless implementation is critical. You need to be able to audit operations and access to make sure compliance is maintained. Local, self-attested sovereign cloud providers can follow implement and build residency requirements correctly so that data residency and sovereignty requirements are met. Cross-border restrictions and jurisdictional control must also be understood addressing privacy concerns with no remote processing of data. At the end of the day, true sovereignty ensures that other jurisdictions are unable to access authority over data stored beyond national borders; fostering national data interest and growth.

True sovereign clouds require a higher level of protection and risk management for data and metadata than a typical public cloud. Metadata, or information about the data such as IP addresses or host names, must be protected along with the data itself. VMware Sovereign Cloud providers offer transparency around security measures, both cybersecurity protections and physical security in the data centre.

VMware Sovereign Cloud providers are…

trusted approved partners in providing best in class IaaS Security and compliance

experts in local platform builds as well as local data protection laws

able to provide solutions for data choice and control, cost efficient (TCO) solutions that are flexible and customisable

able to grow with customer needs providing a complete solution that is future proof  

Customers requiring sovereign solutions demand the expertise and transparency offered by VMware Sovereign Cloud providers – ensuring security and compliance with local data privacy and sovereignty laws. This expertise and transparency becomes invaluable, enabling data security and compliance.

To find out more on how to improve data control and compliance with sovereign clouds click here.

Cloud Management, Cloud Security, Data Management, Data Privacy, VMware

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , , ,

In the last few weeks, the IT industry has seen some very interesting activity from global hyperscale cloud providers surrounding their cloud sovereignty ambitions, and their scrutiny by the regulators covering some basics compliance requirements, like the European Union’s (EU) General Data Protection Regulation (GDPR)

Firstly, AWS made a public pledge called the “AWS Digital Sovereignty Pledge”, consisting of a commitment to provide “the most advanced set of sovereignty controls and features available in the cloud”. After Google’s cooperation with T-Systems and the “Delos” offer from Microsoft, SAP, and Arvato, AWS now follows suit. These initiatives reinforce the growing potential of sovereign cloud services in a world increasingly dominated by questions of cloud choice and control, and complex compliance requirements.

So, what does a pledge mean? The dictionary defines this as a “solemn promise” – which would reasonably beg the question: isn’t this an admission that there is little sovereignty in the offering today? Otherwise, why would it be a pledge? A pledge is forward-looking, something that has not been performed or delivered yet. Also, shouldn’t an announcement like this ideally be backed up with a roadmap? Where is the guarantee that items in this pledge will be fulfilled? Instead, AWS mentions what the pledge will generally cover: control over the location of your data, verifiable control over data access, the ability to encrypt everything everywhere, and the resilience of their cloud. The pledge sounds excellent, but does it meet the minimum standards of most data sovereignty requirements worldwide? It appears, from the general language, that none of it addresses the critical concerns around hyperscale usage, jurisdictional control, legal rights to access the data, and complying with sovereign data requirements that require protection from the U.S. CLOUD Act or Section 702 of the US Foreign Intelligence Surveillance Act (FISA).

Secondly, Microsoft has run aground in Germany with Office 365 reportedly not complying with GDPR. GDPR is 4+ years old and is a huge issue that most companies have joined in the rush not to be penalized by the EU. With Germany’s federal and state data protection authorities (DSK) raising concerns about the compatibility of 365 with data protection laws in Germany and the wider EU, it makes you wonder how other companies may also be falling short in their obligations to protect EU customers’ data. Also, how many other regulatory requirements (such as data sovereignty requirements) that global public cloud providers believe they comply with are prone to be scrutinized by the regulators? This news, of course, is food for thought. Microsoft has denied that this is correct and issued a statement asking for more clarification regarding the view that DSK has. IT executives should therefore take this news as a noteworthy case study to fuel the decisions of their cloud choice, as regulatory requirements concerning data sovereignty are much more complex and niche to comply with than GDRP.

All these issues and many more are putting U.S. and global hyperscale cloud providers in a precarious position when operating a sovereign cloud or other regulated cloud solution, in jurisdictions such the EU, where they must adhere to the EU’s GDPR and U.S. legislation. Indeed, it puts the EU in a precarious position as well, given that 72% of the European cloud market spend was aligned with AWS, Microsoft, and Google in Q2 2022. The EU wants a fair market and a protected European cloud without compromising cloud functionality. However, continued investment by customers in U.S. hyperscale and continual investment in the region of $4b in U.S. hyperscale organizations into expansion means that no European cloud company will ever seriously challenge this market today. The EU certainly has a quandary; on the one hand, enforcing sovereignty would mean no foreign clouds could be used, which would severely damage the EU cloud market; and on the other hand, how to legislate enough to maintain a level of sovereignty that doesn’t exclude foreign providers with some level of external jurisdictional control? It seems that for the foreseeable future, there will be little answer to this quandary, and, in any event, the most prudent approach to compliance appears to be a national, purpose-built sovereign cloud, using external clouds when your data classification meets the needs of unregulated or non-sovereign environments— this seems to be cloud smart!

European cloud providers tend to be more specialized in their services, with nearly all providing managed services, something not found directly in the major U.S. hyperscale cloud provider offerings. I believe this is a good thing. VMware has consistently stated that the future of a well-run cloud-smart IT strategy is multi-cloud and hybrid cloud and that being cloud-smart means we cannot ignore hyperscale offerings. We need them, especially as there are significant innovations and market-leading scalability in these clouds. This is where VMware’s strategy is unique: VMware encourages multi-cloud and helps organizations maintain a cloud strategy that avoids lock-in and maintains quality and security while monitoring performance. The VMware Sovereign Cloud initiative provides national and local cloud provider partners the capability to build purpose-built sovereign clouds, including ones that deliver locally specific requirements in areas such as data sovereignty, including data residency and jurisdictional control, data access and integrity, data security and compliance, data independence and mobility, and data innovation and analytics.

The common misunderstanding when considering using a global hyperscale cloud provider as an option for workloads requiring data sovereignty is that there is compliance because the portfolio, data and applications will be limited to only what can be run in a region. This still doesn’t make it sovereign – it is simply a farce. To be clear, physical location (or data residency), while necessary for data sovereignty, does not constitute data sovereignty entirely for almost if not all data sovereignty requirements around the globe. Data sovereignty requirements are unique to each jurisdiction, but all have many more needs than simple data residency. For example, they all also require jurisdictional control, – which cannot be assumed to be met with a data resident cloud, particularly for U.S. or global cloud providers subject to the CLOUD Act and FISA ruling. It’s therefore essential to recognize that VMware sovereign cloud providers are independent third-party partners across the globe who also manage extensive portfolios of cloud capabilities. Based on VMware solutions and ecosystem vendors, with tools and competitive advantage (under the current regulatory climate) to be able to provide the highest levels of compliance comfort with data sovereignty requirements and/or other regulations such as GDPR.

VMware

So, what is the answer here? VMware’s position has not changed; the usage of “trusted” hyperscale clouds denotes a level of trust whereby data that should be placed in a hyperscale cloud is not top secret or restricted, can be protected (using encryption, bring your own key, confidential computing, or privacy-enhancing compute (PEC)) and should be public—i.e., only low-risk data should be placed in any hyperscale cloud, whether trusted or native. Whilst the battles between the hyperscale clouds continue to attempt to achieve sovereign status in Europe. Across the globe, customers should not wait any longer for a magical one size fits all solution or ever trust that their due diligence of regulatory requirements can be delegated to any vendor. Instead, consider a strategy that utilizes the best of all multi-cloud solutions and establishes cloud choices based on data classification, data operations, and risk.

VMware

As the diagram shows, there is increased risk associated with non-sovereign cloud solutions, as jurisdictional control is negated in a trusted or hyperscale public cloud. The volume of data applicable to non-sovereign services that should be considered may be lower when you have conducted a thorough data classification exercise. Remember that a sovereign cloud provider delivers services suited to your vertical, whether government, public sector, financial, or many other verticals, and managed services to help you with your cloud adoption strategy. Some also innovate solutions for secure data exchange to enable monetizing your data, a critical component in the growing data market. In addition, VMware Sovereign Cloud Providers may be best suited to support you in managing locally tailored privacy, classifications, and risk analysis, ensuring compliance with the most stringent of standards. As data pertains to personal and non-personal data (think industrial and IoT), a classification exercise will help you understand your risks and how to protect them in alignment with regulatory requirements and mitigate future threats from new data classification standards that are indeed to come.
 
As data markets evolve and data exchange for supply chain and monetization become a critical component of how we do business, it is essential that the right strategy is decided at day 0 and that the limitations of a cloud choice do not compromise the principles of sovereignty you encompass. Additionally, ensure that the cloud provider you select has the right technology capabilities, security infrastructure, and data governance processes to protect your data, meet compliance standards, and provide a secure platform for your business.

Find your closest VMware Sovereign Cloud provider today

Cloud Management, Compliance, IT Leadership

Posted on Posted in Digital transformation, General topics Tagged with , , , , , ,

By Hock Tan, Broadcom President & CEO

The trend towards sovereign clouds has been one of the central topics that customers, particularly in Europe, have raised since we announced the Broadcom-VMware transaction. They want to know what role a combined Broadcom-VMware would play as governments increasingly recognize the power of data – economically, politically, and geo-politically – to drive local, national, and even multi-national economic development. In short, Broadcom sees cloud sovereignty as extremely important to the future of data management, and we see VMware, with its multi-cloud strategy and offerings, as being a key enabler in the adoption of sovereign clouds.

A sovereign cloud is essentially a cloud computing architecture for a suite of digital services built specifically around a common set of national or multinational standards. Adhering to these standards provides cloud providers with an open architecture to give their customers greater interoperability and, more importantly, greater control over their data.

The shift to sovereign clouds has been driven by rapidly expanding requirements from governments and businesses alike to enhance data privacy, cybersecurity, and broader economic development. More than 70% of large organizations surveyed last year, by the Capgemini Research Institute, said they planned to adopt cloud sovereignty, both to protect customer data and ensure compliance with new national data protection and localization rules. Those rules are proliferating quickly. The Information Technology and Innovation Foundation found that the number of laws, regulations and government policies requiring digital information to be stored in a specific country more than doubled globally over the most recent four-year period.

Gaia-X, for example, is a sovereign cloud architecture led by France and Germany driven by customer data sovereignty under a framework that delivers Europe’s digital transformation. Frameworks like Gaia-X have promoted many European industry leaders — from OVHcloud to Deutsche Telekom –to incorporate sovereign clouds as part of their overall IT infrastructure. The EU Cloud Certification Scheme (EUCS) is another effort to develop a single cloud security certification set of requirements at EU-wide level.

However, sovereign clouds are but one piece of a data management puzzle that is highly complex and continues to evolve. As a trusted partner, Broadcom must anticipate this evolution for our customers and then innovate to meet the challenges we see ahead. We feel strongly that our acquisition of VMware will accelerate this innovation, particularly in multi-cloud, where VMware already has leading solutions.

I’ve said before that multi-cloud is the future of enterprise IT. A multi-cloud approach enables the flexibility to manage and protect data across different environments – private, public, or sovereign – at will. And when integrated with sovereign cloud, multi-cloud enables customers to deliver differentiated services at scale while remaining secure and in compliance with regulatory frameworks. Maintaining this choice, control, and agility is both crucial for growth and a daunting task for enterprises globally.

Following the close of Broadcom’s acquisition of VMware, we will have a complementary portfolio that provides our customers – such as governments and critical infrastructure operators, including banks and healthcare operators – the tools they need to use the various cloud environments strategically and impactfully. Just as important, we will invest in our innovation engine and long-term product improvement to drive new, customer-centric solutions for the multi-cloud era and empower more customers to exercise their own sovereign choices when storing and managing data.

To stay updated on the news about the transaction, click here.

Cautionary Statement Regarding Forward-Looking Statements

This communication relates to a proposed business combination transaction between Broadcom Inc. (“Broadcom”) and VMware, Inc. (“VMware”).  This communication includes forward-looking statements within the meaning of Section 21E of the U.S. Securities Exchange Act of 1934, as amended, and Section 27A of the U.S. Securities Act of 1933, as amended.  These forward-looking statements include but are not limited to statements that relate to the expected future business and financial performance, the anticipated benefits of the proposed transaction, the anticipated impact of the proposed transaction on the combined business, the expected amount and timing of the synergies from the proposed transaction, and the anticipated closing date of the proposed transaction.  These forward-looking statements are identified by words such as “will,” “expect,” “believe,” “anticipate,” “estimate,” “should,” “intend,” “plan,” “potential,” “predict,” “project,” “aim,” and similar words or phrases.  These forward-looking statements are based on current expectations and beliefs of Broadcom management and current market trends and conditions. 

These forward-looking statements involve risks and uncertainties that are outside Broadcom’s control and may cause actual results to differ materially from those contained in forward-looking statements, including but not limited to: the effect of the proposed transaction on our ability to maintain relationships with customers, suppliers and other business partners or operating results and business; the ability to implement plans, achieve forecasts and meet other expectations with respect to the business after the completion of the proposed transaction and realize expected synergies; business disruption following the proposed transaction; difficulties in retaining and hiring key personnel and employees due to the proposed transaction and business combination; the diversion of management time on transaction-related issues; the satisfaction of the conditions precedent to consummation of the proposed transaction, including the ability to secure regulatory approvals on the terms expected, at all or in a timely manner; significant indebtedness, including indebtedness incurred in connection with the proposed transaction, and the need to generate sufficient cash flows to service and repay such debt; the disruption of current plans and operations; the outcome of legal proceedings related to the transaction; the ability to consummate the proposed transaction on a timely basis or at all; the ability to successfully integrate VMware’s operations; cyber-attacks, information security and data privacy; global political and economic conditions, including cyclicality in the semiconductor industry and in Broadcom’s other target markets, rising interest rates, the impact of inflation and challenges in manufacturing and the global supply chain; the impact of public health crises, such as pandemics (including COVID-19) and epidemics and any related company or government policies and actions to protect the health and safety of individuals or government policies or actions to maintain the functioning of national or global economies and markets; and events and trends on a national, regional and global scale, including those of a political, economic, business, competitive and regulatory nature.

These risks, as well as other risks related to the proposed transaction, are included in the registration statement on Form S-4 and proxy statement/prospectus that has been filed with the Securities and Exchange Commission (“SEC”) in connection with the proposed transaction.  While the list of factors presented here is, and the list of factors presented in the registration statement on Form S-4 are, considered representative, no such list should be considered to be a complete statement of all potential risks and uncertainties.  For additional information about other factors that could cause actual results to differ materially from those described in the forward-looking statements, please refer to Broadcom’s and VMware’s respective periodic reports and other filings with the SEC, including the risk factors identified in Broadcom’s and VMware’s most recent Quarterly Reports on Form 10-Q and Annual Reports on Form 10-K.  The forward-looking statements included in this communication are made only as of the date hereof.  Neither Broadcom nor VMware undertakes any obligation to update any forward-looking statements to reflect subsequent events or circumstances, except as required by law.

No Offer or Solicitation

This communication is not intended to and shall not constitute an offer to buy or sell or the solicitation of an offer to buy or sell any securities, or a solicitation of any vote or approval, nor shall there be any sale of securities in any jurisdiction in which such offer, solicitation or sale would be unlawful prior to registration or qualification under the securities laws of any such jurisdiction.  No offering of securities shall be made, except by means of a prospectus meeting the requirements of Section 10 of the U.S. Securities Act of 1933, as amended.  

Additional Information about the Transaction and Where to Find It

In connection with the proposed transaction, Broadcom has filed with the SEC a registration statement on Form S-4 that includes a proxy statement of VMware and that also constitutes a prospectus of Broadcom.  Each of Broadcom and VMware may also file other relevant documents with the SEC regarding the proposed transaction.  The registration statement  was declared effective by the SEC on October 3, 2022 and the definitive proxy statement/prospectus has been mailed to VMware’s stockholders. This document is not a substitute for the proxy statement/prospectus or registration statement or any other document that Broadcom or VMware may file with the SEC.   INVESTORS AND SECURITY HOLDERS ARE URGED TO READ THE REGISTRATION STATEMENT, PROXY STATEMENT/PROSPECTUS AND ANY OTHER RELEVANT DOCUMENTS THAT MAY BE FILED WITH THE SEC, AS WELL AS ANY AMENDMENTS OR SUPPLEMENTS TO THESE DOCUMENTS, CAREFULLY AND IN THEIR ENTIRETY IF AND WHEN THEY BECOME AVAILABLE BECAUSE THEY CONTAIN OR WILL CONTAIN IMPORTANT INFORMATION ABOUT THE PROPOSED TRANSACTION.  Investors and security holders may obtain free copies of the registration statement and proxy statement/prospectus and other documents containing important information about Broadcom, VMware and the proposed transaction, once such documents are filed with the SEC through the website maintained by the SEC at http://www.sec.gov.  Copies of the documents filed with the SEC by Broadcom may be obtained free of charge on Broadcom’s website at https://investors.broadcom.com.  Copies of the documents filed with the SEC by VMware may be obtained free of charge on VMware’s website at ir.vmware.com.

Participants in the Solicitation

Broadcom, VMware and certain of their respective directors and executive officers may be deemed to be participants in the solicitation of proxies in respect of the proposed transaction.  Information about the directors and executive officers of Broadcom, including a description of their direct or indirect interests, by security holdings or otherwise, is set forth in Broadcom’s proxy statement for its 2022 Annual Meeting of Stockholders, which was filed with the SEC on February 18, 2022, and Broadcom’s Annual Report on Form 10-K for the fiscal year ended October 31, 2021, which was filed with the SEC on December 17, 2021.  Information about the directors and executive officers of VMware, including a description of their direct or indirect interests, by security holdings or otherwise, is set forth in VMware’s proxy statement for its 2022 Annual Meeting of Stockholders, which was filed with the SEC on May 27, 2022, VMware’s Annual Report on Form 10-K for the fiscal year ended January 28, 2022, which was filed with the SEC on March 24, 2022, a Form 8-K filed by VMware on April 22, 2022 and a Form 8-K filed by VMware on May 2, 2022.  Other information regarding the participants in the proxy solicitations and a description of their direct and indirect interests, by security holdings or otherwise, are or will be contained in the proxy statement/prospectus and other relevant materials to be filed with the SEC regarding the proposed transaction when such materials become available.  Investors should read the proxy statement/prospectus carefully before making any voting or investment decisions.  You may obtain free copies of these documents from Broadcom or VMware using the sources indicated above.

About Hock Tan:

Broadcom Software

Hock Tan is Broadcom President, Chief Executive Officer and Director. He has held this position since March 2006. From September 2005 to January 2008, he served as chairman of the board of Integrated Device Technology. Prior to becoming chairman of IDT, Mr. Tan was the President and Chief Executive Officer of Integrated Circuit Systems from June 1999 to September 2005. Prior to ICS, Mr. Tan was Vice President of Finance with Commodore International from 1992 to 1994, and previously held senior management positions with PepsiCo and General Motors. Mr. Tan served as managing director of Pacven Investment, a venture capital fund in Singapore from 1988 to 1992, and served as managing director for Hume Industries in Malaysia from 1983 to 1988.

IT Leadership

Posted on Posted in Digital transformation, General topics Tagged with , , , , , ,

As recently spotlighted at VMware Explore US, Sovereign Cloud continues to gain momentum.​ Sovereign Cloud business estimated TAM is $60B by 2025, in no small part due to the rapid increase of data privacy laws (currently 145 countries have data privacy laws) and the complexity of compliance in highly regulated industries.​

As the need to monetize data grow and nations seek to realize the true value of data, VMware is delivering on our Sovereign Cloud position: Sovereign Security, Sovereign Compliance, Sovereign Control, Sovereign Autonomy, and Sovereign Innovation.

Previously, we looked at what data sovereignty is and how it impacts business operations when it comes to personal, sensitive or classified data. Now let’s look at how an organization can better comply with data sovereignty laws by choosing the right cloud architecture.

Most businesses have moved to cloud computing for at least some of their data. Cloud provides greater flexibility, scale, and computational power than traditional on-premises data centers. While public clouds are popular for their high capacity and low costs, some organizations have started moving data out of them to comply with regulations. 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.1 Some have moved data back on-premises, whereas others are using a mix of public and private clouds.  Ultimately, protecting and realizing national data has never been a more important factor in building a cloud.  From the combination of increasing country regulations:  compliance with the US Cloud Act, EU’s GDPR, China’s Personal Information protection law with data privacy laws in 132 countries and with an annual increase of ~10%, choosing the right Data Sovereignty solution has become a hot topic.

To better understand why a business may choose one cloud model over another, let’s look at the common types of cloud architectures:

Public – on-demand computing services and infrastructure managed by a third-party provider and shared with multiple organizations using the public Internet. Public clouds are usually multi-tenant, meaning multiple customers share the same server, although it’s partitioned to prevent unauthorized access. Public clouds offer large scale at low cost.Private – infrastructure is dedicated to a single user organization. A private cloud can be hosted either in an organization’s own data center, at a third-party facility, or via a private cloud provider. Private clouds are generally more secure than public due to limited access and can meet regulatory requirements such as data privacy and sovereignty. However, they require more resources to set up and maintain.Community – shared cloud that is integrated to connect multiple organizations or employees for collaboration. This can be multiple private clouds connected together to facilitate the exchange of data. These are frequently used by regulated industries where public clouds are not compliant, but they are complicated to set up due to having multiple groups involved.Government – a type of private or community cloud designed specifically for government bodies to maintain sovereignty and controlMulti-cloud – using multiple public clouds to take advantage of different features. An organization may host some services in one cloud and others with a different provider. This model has the highest level of security risk due to the volume of data and access.Hybrid – a mix of public and private clouds. The term is sometimes also used to refer to a mix of public cloud and on-premises private data centers.

While public clouds are suitable for public information that isn’t subject to data sovereignty laws, a hybrid or other more private solution is needed for overall compliance. Private clouds can meet data sovereignty requirements, but they need dedicated data centers, operated either by the organization itself or via a provider using dedicated hardware. This can be expensive and time-consuming.  The quickest or off the shelf solution may not include the level of security or compliance necessary to be sovereign.  Key factors in consideration are jurisdictional control, local oversight, data portability and customizability to name a few.

Sovereign cloud is an option designed specifically to meet data sovereignty requirements. Think of this as a semi-private cloud, combining some of the best features of public and private. They are operated by experienced cloud providers that are smaller, local, multi-tenant operations. A sovereign cloud provides the data sovereignty benefits of a private cloud without the IT headaches.

Sovereign cloud can be used in conjunction with public cloud as part of a hybrid cloud architecture. Data and services subject to data sovereignty laws would live in the sovereign cloud while non-sensitive data and services might live in the public cloud. The exchange of data between these clouds must be carefully controlled to ensure compliance.

When it comes to finding a sovereign cloud provider, customizability, flexibility and frictionless implementation is critical. You need to be able to audit operations and access to make sure compliance is maintained. Local, self-attested sovereign cloud providers can follow implement and build residency requirements correctly so that data residency and sovereignty requirements are met. Cross-border restrictions and jurisdictional control must also be understood addressing privacy concerns with no remote processing of data.  At the end of the day, true sovereignty ensures that other jurisdictions are unable to assets authority over data stored beyond national borders; fostering national data interest and growth.

True Sovereign Clouds require a higher level of protection and risk management for data and metadata than a typical public cloud. Metadata, or information about the data such as IP addresses or host names, must be protected along with the data itself.  VMware Sovereign Cloud providers  offer transparency around security measures, both cybersecurity protections and physical security in the data center.

VMware Sovereign Cloud providers  are…

trusted approved partners in providing best in class IaaS Security and complianceexperts in local platform builds as well as local data protection lawsable to provide solutions for data choice and control, cost efficient (TCO) solutions that are flexible and customizableable to grow with customer needs providing a complete solution that is future proof  

Customers requiring sovereign solutions demand the expertise and transparency offered by VMware Sovereign Cloud providers…ensuring  security and compliance with local data privacy and sovereignty laws. This expertise and transparency becomes invaluable, enabling  data  security and compliance.

Find your Sovereign Cloud provider today, check out the latest VMware Sovereign Cloud Infographic or join the conversation via our Linkedin community at  VMware Sovereign Cloud | Groups | LinkedIn

Source: IDC, commissioned by VMware, Deploying the Right Data to the Right Cloud in Regulated Industries, June 2021

Cloud Computing, Data Management, IT Leadership