DevOps Blog

Is data sovereignty compatible with the cloud in the EU?

Written by Laurine Lefort | 09-Jun-2022 12:00:00

What is digital sovereignty?

Digital sovereignty is a term that emerged with the rise of the Internet. Previously, we spoke more of state sovereignty, i.e. the ability of a state to exercise its authority over a geographical area and its inhabitants. Today, this sovereignty has also conquered the digital sphere, playing somewhat with borders and escaping the control of states. For a few years now, we have been seeing the creation of a sovereign cloud by certain countries or certain zones.

Data sovereignty

Among the issues related to sovereignty, data sovereignty is a hot topic. For organizations, it consists in protecting the management of their data by submitting it to the laws of the country in which it is hosted.

If they are stored on a French Cloud provider, for example, then they are subject to the French and the European legislation. But if stored on an American Cloud provider, they are subject to the American legislation. This is where the notion of digital sovereignty becomes more difficult to grasp.

To be sovereign of one's data, is to have the conviction that it will not be freely accessible by other organizations, or even other foreign powers. So, there is an idea of control of one's data in a geographical way, but as said before, everything depends on the chosen Cloud provider. Now, this has become something difficult to implement today, already because of the omnipotence of the American Cloud providers, which prevail over the others.

But it is also because of the real absence of borders in the Cloud and the fact that some states play on them. So how can you be sovereign of a kingdom without limits?

An overview of what exists

European and American legislation


Today, in terms of data sovereignty, there are several things in place. In Europe, for example, the GDPR (or General Data Protection Regulation) has been in effect since 2016. This regulation protects data stored on European territory as well as access to it. In the United States, there is the CLOUD Act (or Clarifying Lawful Overseas Use of Data Act), enacted in March 2018, which does the same thing, but also allows the government to access the data of U.S. companies, even outside the U.S. territory.

So these two pieces of legislation are fundamentally incompatible.

By the way, what does the CLOUD Act defines as a "U.S. business"? This definition includes, for example, any French company, based in France, but which has part of its installations hosted on a US Cloud provider. From then on, it is obliged to transmit its customers' data to the American government if the latter requests it. Sovereignty is no longer European in this case. This conflicts with European legislation that protects the data of all European companies. And if a company violates the RGPD, it is then subject to a fine of 4% of its turnover.

But let's imagine that the CLOUD Act was invoked for a company in France, for example, and that it transmitted its data to the USA. If it was not targeted by the RGPD, then this would create a case of jurisprudence: from now on, other European companies would no longer be subject to the RGPD.
The European sovereignty is therefore undermined by the CLOUD Act which pushes European states to develop their sovereign cloud (i.e. Scaleway French, Hetzner German).

The creation of a French "trusted cloud"

In 2009, France has the idea of a sovereign cloud. Developed by Orange Thales and DS, joined by SFR, two solutions were created. But 6 years later, the project is officially buried: both are a pure and simple failure. However, in 2020, the GAIA-X project, a cloud computing solution developed for the EU in collaboration with Germany to be efficient, secure and competitive, is born.

To compensate for this project, the French government announced a year later the creation of a label "Trusted Cloud" which allows the idea of combining a sovereignty both French and European, while being able to take advantage of American technologies such as the giants AWS or GCP.

Although not a cloud solution, this label provides a certain security and serenity to companies.

As a result, the government seems to have realized that trying to compete with these giants may not be such a good idea and has therefore opted for a more measured solution: partnering with Microsoft in this project. In order to escape the CLOUD Act, Microsoft would be a mere technical solution provider and not a shareholder in the driver's seat of this new sovereign cloud like Orange and Capgemini are.

When you are a company, this label can indeed be reassuring.

What solutions exist to combine data sovereignty and the Cloud?

We often hear people express their concerns about the security of their data in the Cloud. Who has access to it? Is it really protected? How can you be sure that it is not accessible by a third party, or by another state? Yet, the Cloud can be just as secure as an on-premise solution.

⚠ Natively, the Cloud is not secure at all. Cloud providers practice a shared responsibility model for security.

Sovereignty is not something that is easy to implement, as we have seen. However, this does not mean that it is totally incompatible with storing data on a Cloud provider. On the contrary. If you look at this issue from the point of view of the company, you realize that it is possible - and even easy - to remain in control of your data in the Cloud.

Several solutions exist, either by playing on the Cloud providers chosen to store the data or on a more technical part such as data encryption.

The Hybrid Cloud

The principle of the hybrid cloud is to mix two or more cloud providers, mixing private and public clouds. Thus, you can decide to store the most sensitive data on your private cloud (on-prem) while having the flexibility of the public cloud for other types of data. In terms of sovereignty, this solution allows total control over the data identified as sensitive.

The Multi-Cloud

Choosing multi-cloud means choosing what is best for your company in each cloud provider. Unlike the hybrid cloud, multi-clouds only mix public clouds.

This solution allows great flexibility by combining different tools that end up forming a whole totally adapted to your needs. In addition, having several providers increases the level of data security since they are not all stored via the same Cloud provider. Just as hybrid clouds allow you to store your most sensitive data on a private cloud, multi-cloud gives you the possibility to store your sensitive data on a cloud provider in France rather than in the United States: this way you are not subject to the CLOUD Act.

Data encryption

Data encryption is a solution that can be considered before anything else, to guarantee the security of one's data, and is rather complementary to the other two.

Encryption of data in transit by SSL

You can for example choose the encryption of data in transit, using protocols like SSL. Data in transit is, as the name implies, data that is moving from one place to another on a network. The SSL protocol will encrypt the data until it reaches the server, which will then decrypt it and send it back to the recipient.

There are three advantages to this type of encryption via SSL:

  • The encryption of the data
  • Authentication, which allows data to transit through and to the right server
  • Data integrity, which guarantees no loss or modification of the data

Symmetric encryption of stored data


There is also the encryption of stored data, or data at rest. This is different from data in transit, since it is not intended to be transferred. They are therefore essential, but remain on a single server, which makes them potentially less secure. Generally, it is a symmetrical encryption such as the AES (Advanced Encryption Standard) that is used. With this method, a single key is used to encrypt and decrypt data. This standard has been the most widely used and most secure since its creation.

There are two main advantages to this method:

  • The ease of use
  • Speed of use

These two encryption methods are complementary, and in all cases special attention must be paid to the storage of the encryption/decryption key. Indeed, it is the transfer of this key that is most likely to demonstrate a security flaw.

Conclusion

Guaranteeing the security of one's data therefore requires two things: the encryption of one's data as we have just seen, but also the choice of sovereignty in the Cloud.

Data sovereignty, as well as its application in the Cloud, is a difficult subject to cover in a single article. The "war" between the different legislations also reinforces the mistrust that one can feel when talking about digital sovereignty.

However, it is possible to remain in control of your data if you adapt the implementation to your company's needs. And if you have any questions about the security of your infrastructure, you can also contact our experts who will be happy to help you!