Planning for Data Sovereignty in a Multicloud World

With its roots in privacy law emerging from the UK and Europe, data sovereignty has become a global concern. Increasingly, international trade requires compliance with local data laws—covering nations, states, or other jurisdictions such as the EU. Governments, rather than corporations or hyperscalers, are setting the rules: Not only can they require data to be stored in-country, but some go further, stipulating that local providers deploy and operate systems storing or processing data.

As data sovereignty drivers largely concern cloud-based infrastructure, we see sovereign cloud solutions emerge to address these requirements. However, we also recognize that most, if not all, enterprises will have deployed infrastructure from multiple cloud providers as well as running hosted and on-premises systems. Which is to say, they will be operating a multicloud architecture.

While cloud providers can say they offer sovereign cloud, they currently only do so for their own offerings. Organizations that leverage sovereign cloud features and management tooling from each provider face the inefficiencies of configuring and operating each environment as independent “sovereign silos.” The model can also be costly because a hyperscaler’s solutions must be defined, priced, and deployed for each jurisdiction (for example, using AWS Outposts where a local zone is unavailable).

Organizations therefore need to look to multicloud options for implementing sovereign cloud across all the data storage and processing capabilities they use. A viable option to consider are platform-agnostic and multicloud-aware tooling, platforms, and services, which can operate across a combination of cloud providers and hosting types.

In our CxO Decision Brief for sovereign cloud in a multicloud architecture, we consider the needs and benefits of data sovereignty and the multicloud solutions that enable it. In particular, we explore Broadcom and VMware’s offerings in this area. We recognize that:

  • Broadcom brings a platform-agnostic enterprise software portfolio, covering operations, security, and governance across all platforms and providers. It is therefore suited to enterprise hybrid IT environments, including multicloud architectures.
  • VMware brings significant platform-agnostic infrastructure capability as well as tools enabling local development and deployment of infrastructure to meet sovereignty goals. The company works with local integrators to deliver services, keeping them in-country.

Solutions from Broadcom and VMware enable customers to manage data and applications across cloud and on-premises infrastructure, enabling interoperability and portability and reducing the risks and operational overheads of sovereignty. Broadcom’s broader enterprise partnership and research-led approach enables the company to work with its customer organizations to deliver on their evolving sovereignty goals. In further support, the companies offer capabilities for data protection, compliance, and security.

One way or another, organizations must get on top of data sovereignty challenges—it’s the law and can be an increasing cost to business. Nonetheless, we recognize that many current applications and services were not created with sovereignty in mind. Sovereignty represents a new, yet compulsory, non-functional requirement to be applied across the multicloud and on-premises IT estate, including retrofit onto existing applications.

Our CxO Decision Brief advocates starting on the right foot with sovereign cloud, defining an overall strategy for data sovereignty that works across multiple cloud providers and the existing application portfolio. This lets an organization consider its overall needs based on the countries in which it operates and on the applications that must be prioritized.

On this basis, technical leaders can determine which applications and repositories can be left in situ and/or refactored, migrated, modernized, or even decommissioned. If this sounds like an application rationalization initiative, it shares several facets—the main difference is the legislative driver. Similarly, it should be considered a change program in terms of gaining stakeholder buy-in at all levels, assuring measurable outcomes, deploying in a controlled manner, and so on.

On the positive side, data sovereignty managed within a multicloud environment enables better management of cloud-based services, reinforces data protection across the architecture, allows for better portability between cloud providers, and creates cost reduction opportunities compared to running individual clouds as sovereign silos. It also offers a firmer basis for innovation (for example, enabling services to be delivered in a broader set of jurisdictions, responding to local service needs, or allowing a broader view of environmental, sustainability, and governance (ESG) reporting and cloud cost management goals).

Multicloud tools in a sovereign cloud environment can also catalyze a move toward more distributed architectures, such as shared microservices and infrastructure-as-code approaches–defining in advance what can run where according to policy. For example, specific elements of an application can be deployed and run in-country, keeping data sovereign while enabling management from another jurisdiction. This facilitates a move away from the blunt instrument, “journey to the cloud” use of a limited set of global cloud providers and toward an increased level of discernment of what should be run where.

Overall, enterprises with international operations can not treat data sovereignty lightly. Whether seen as strategic or not, it will impact technical departments in terms of application architecture, operations, delivery, supplier management, and other areas. Nor can it be seen as something to happen down the line—organizations already need to comply if they wish to trade or deliver services, so it’s better to solve the challenge now rather than wait for the consequences of non-compliance.

With appropriate, multicloud-oriented data management and application tools, data sovereignty can nonetheless be seen as a catalyst for organizations to architect better for the future. In our CxO Decision Brief, we suggest steps to consider across planning, testing, deployment, and operation. Over the next one to three years, organizations will enjoy a window of flexibility before they face getting squeezed out of certain markets by other organizations that already have their houses in order. This time should be spent planning strategically and building partnerships and skills that position data sovereignty as an inherent element of the architecture.