With the everchanging geopolitical landscape and new regulations coming to the fore, where data is kept, where it is shared, and who can access it are all considerations for financial institutions in a world where more data equals more power. As a growing
amount of data is stored in cloud-based data centres, the EU, US, and China have issued regulations such as GDPR, the Data Act, the Data Governance Act, the US Cloud Act and Schrems II, to control the flow of data across borders and minimise risk by keeping
data on sovereign soil.
Cloud providers and data classification
Cloud providers collect a substantial amount of data, and banks must ensure the right applications and the right data is hosted on the right cloud so that data can be classified, owned, trusted, controlled and is compliant. While sovereign cloud can ensure
data remains on sovereign soil, all the known benefits of cloud also come into play here. Therefore, cloud sovereignty must be considered as part of the holistic cloud strategy that financial institutions are already undertaking.
If 10 people were asked to define cloud sovereignty, you may get more than 10 replies. However, most agree on the principle that it is an isolated cloud where all data stays on sovereign soil. Like data sovereignty, financial service regulators will start
putting more pressure on financial institutions to utilise a sovereign cloud. However, banks must use this opportunity to evaluate how this type of clouds fit into their overall cloud strategy. Is the sovereign cloud merely another cloud held out independently,
or is it part of a hybrid model based on a consistent infrastructure?
What is cloud sovereignty?
What is cloud sovereignty, beyond being a pillar of digital sovereignty? Finextra asked Monica Sasso, global financial services digital transformation lead at Red Hat UK. In Sasso’s view, “there are many different definitions of digital sovereignty, and
even more interpretations. Additionally, regional differences affect digital sovereignty policy, i.e. what is at the top of the pyramid for a jurisdiction? Is it ensuring data privacy, is it digital resilience, is it financial stability or is it persevering
the resilience of the overall economy?”
IBM articulates digital sovereignty, cloud sovereignty and the data ownership landscape succinctly. “Digital sovereignty is the right of the nations, organizations and citizens to have
control over their digital autonomy and their data. Since it is all about data, that is where sovereign cloud or data sovereignty comes in — where does the data reside, where is the data flowing and who has control over it?” But why is cloud sovereignty important?
Sasso believes “having autonomy over the technology that runs a nation’s and its residents’ data” is crucial. She continues: “We have moved from a paper way of life, where it was easy to see the bit of paper, to follow it around the jurisdiction, country,
the world to everything being a bit or byte that we cannot see. That we cannot easily secure (i.e. with a bit of paper, one could lock it in a secure storage location). Now we cannot ‘see, touch, feel’ our own data, so knowing there are laws in place that
essentially give consumers that security that their most personal information is key.
“Wishing to not stray into geopolitics, having control over data is also key for nations and people to guard what is true, to make sure that the data is accurate, and people are not abused as a result of this. Imagine if data were not so important, my national
identification number could be used to falsify all sorts of documents, could be stolen, or could be used to commit crimes. There are so many reasons why it is important ranging from protecting truth to protecting people’s security, livelihoods, and lives even,”
Sasso added.
Data storage service monitoring
Protection is crucial. When it comes to trust, banks operate from a position of strength. In addition to keeping consumer funds secure, customer data must be protected. However, as Sasso points out, while technology evolves quickly, regulation tends to lag.
Banks are cautious when adopting new technology, but they must strike a balance between innovation and security. She adds: “Digital technologies have changed the risk and threat landscape for firms, and everyone needs to be an expert in these topics.
“As technology has connected us as people, so too has it connected firms; requiring the three lines of defence to collaborate more and for all leaders to have a crash course in cloud native technology, modern data practices and cyber security. We can no
longer have IT or data people who are the only people in the know, and this is where a firm’s own ecosystem and the open-source community can be a huge help in training, upskilling and facilitating some of that cross-collaboration.”
Cross-collaboration is easier said than done when the US Cloud Act may be similar to laws established by China, but these are in conflict with new EU rules, such as Schrems II. Cloud sovereignty can resolve this – despite it being a longstanding issue. In
order to do so, a financial institution will need to understand their cross-border posture and have a holistic view of where their business is located. Only then can banks truly analyse their risk, and in turn, their risk appetite.
Sasso explains that “firms could assess how best to secure their data, understand their software supply chain and architect a hybrid cloud technology stack within that framework. Using open-source tools, state of the art security measures and architectures
to control access and data flows and ultimately defining its own sovereign cloud within the constraints of its regulators is a key activity for firms to do.”
Operational resilience
Doubling down on the importance of a holistic understanding of risk, Sasso adds that with a sovereign public cloud, financial institutions can properly “map out their operational resilience, cyber resilience, software supply chains and data protection landscapes.
This will then support them in defining their next generation of technology strategies and allow them to articulate their compliance postures back to their regulators and to their shareholders, within their respective risk appetites.”
As the European Commission surmised, “data is immensely valuable to all organisations, a significant resource for the digital economy and the ‘cornerstone of our EU industrial competitiveness.” One regulation not mentioned here thus far is the Digital Operational
Resilience Act (DORA) – which will lead to updates to the Cybersecurity Act and the Data Act. DORA also will ensure that Europe takes back control of its own data, addressing ownership head on and creating a sense of regional protection.
The problem lies in managing unstructured data, which 95% of businesses
cite as being an issue. Further, 42% of business leaders are very or extremely concerned about data being managed by US cloud providers. Statista found that 66% of the European cloud market is controlled by US-based providers, who, of course, are subject
to the US Cloud Act. This is driving the need for data sovereignty and utilising cloud solutions that provide the same sovereign protections as the original location. But is this possible?
Sasso believes that as technology has connected us all, “so has it connected the financial markets and regulators who want to make sure that concentration risk in one (or a couple of) hardware, software, service, etc providers is minimised and does not adversely
affect the markets or economy - or cause their consumers or citizens (us) any undue harm. It comes down to them not wanting for the entire financial system or even economy to be solely dependent on just a single commercial entity. So essentially, they want
to minimise all aspects of concentration risk in the financial system - from financial instruments all the way to utility providers, software and hardware to the public cloud.”
On data sovereignty, she adds that “one of the most important elements of data sovereignty is understanding your software supply chain. Essentially: what data do you have, where it is, who can access it (where are those people based), what system is doing
what - from where? And this should be not just your big systems like core banking, but also the smaller systems that you might not even realise you are consuming - that maybe are provided to you by 4th or even 5th parties within your supply chain. Then you
will have the information to define your own data landscape in the cloud within the constraints of your regulator(s) and within your firm’s risk appetite.
On cloud sovereignty, Sasso explains that “if we think about things today, firms have data and applications that are either in a public cloud or on premise in a private cloud. With the introduction of a sovereign cloud layer, there is a three-layered hybrid,
multi-cloud environment where business critical data and applications can reside in a sovereign cloud while less critical data and applications can reside in the public cloud later. This seems to be the future structure that regulators are leaning into to
address (lack of) regulatory oversight, interoperability, data sovereignty and concentration risk. Add this to concepts like confidential compute and firms will have an even greater ability to address concerns around vendor lock-in, data sovereignty and increase
cloud service provider competition.”
Sovereign cloud - another cloud held out independently, or part of a hybrid model based on a consistent infrastructure?
Financial institutions must plan for cyber resilience, data protection, understanding the software supply chain and operating model. Sasso concludes by saying that with a hybrid, multi-cloud architecture, underpinned by automation, banks are already on their
way to having an operationally resilient technology base that can provide for cloud sovereignty. “There are commercial advantages as well, such as avoiding vendor lock-in and giving their technologists and lines of business flexibility with a stable, consistent
foundation. Add in open-source technologies that bring visibility and transparency to a firm's software supply chain and firms will be able to react to the next piece of legislation or commercial imperative.”