Microsoft has announced new 'sovereign cloud' services - but just how sovereign can they be?

US hyperscalers are subject to US law, including the CLOUD Act and FISA 702

Microsoft has announced new ‘sovereign cloud’ services for Europe in response to regulations and concerns about control, security and privacy.

The company is expanding its Microsoft Sovereign Cloud offering, adding Data Guardian for European operations ("an additional level of assurance by ensuring that only Microsoft personnel residing in Europe control remote access to these system"), external key management which places encryption keys in full control of customers, a regulated environment management control pane, and locally hosted Microsoft 365 for private clouds, which runs only on Azure Local. These services are currently in preview mode with plans to make them generally available later this year.

They represent the latest move by a US hyperscaler to offer "sovereign cloud" services to non-US customers looking to comply with new regulations in the EU (and elsewhere) that stipulate tighter controls and data protection.

But there’s more to it than compliance. Organisations are increasingly concerned over shifts in geopolitics. They are worried about where their data is ending up, who is processing it and under what jurisdiction, and fear the potential impact of breaches by state actors and cybercriminals; all this at a time when data volumes are rising rapidly and services are ever more reliant on the cloud. It’s a perfect storm.

A pivot away from public cloud

When cloud computing services first emerged, businesses and governments were understandably wary of placing sensitive data there. But as reliability improved, the worst-case security breaches failed to emerge and costs fell, that viewpoint changed even in the wake of Edward Snowden's revelations about the reach of the US government and the “many eyes” coalitions - particularly in counties that were part of those intelligence sharing arrangements. Soon, all sorts of sensitive data found itself in the public cloud, which was deemed just as secure, if not more so, than on-premises or private cloud alternatives.

But the uncertainty caused by the re-election of Donald Trump, plus a huge uptick in cyberattacks and espionage cases are causing many to re-evaluate the risk. Just this week Denmark and the German state of Schleswig-Holstein announced their intention to ditch Microsoft Office in favour of locally hosted open source alternatives.

The cloud giants are well aware of this shift in attitude, hence Microsoft’s latest moves as well as similar announcements by AWS and Google which are also launching “sovereign cloud” services.

However, they face a problem in the shape of US legislation such as FISA 702 which authorises the security services to compel US-based cloud companies - including Google, Microsoft, Oracle and Amazon - to provide access to data communications of non-US citizens located outside the US, and the CLOUD Act which has similar provisions but includes data on US citizens too.

So how watertight can promises of cloud sovereignty ever be?

Not very, said Benjamin Schilz, digital sovereignty advocate and CEO of Wire, a European digital workspace platform, in an email to Computing. First, Microsoft's source code is not open, meaning that backdoors could be inserted to gather information such as metadata and encryption keys. Second, the US government has precedence in demonstrating its willingness to compel Microsoft to hand over data hosted on foreign soil, despite the company fighting such demands.

“Microsoft has no magical 'get out of US surveillance law' card to play, and its sovereign private cloud is writing checks it cannot cash," Schilz said. "It's not a question of intentions but the hard reality that any US software company can and will be legally compelled to surveil or even perform arbitrary denial of service."

He described Microsoft's promises of sovereignty as "a magical assertion", adding that "any company that accepts it in the face of hard legal realities is sadly indulging in magical thinking"

Mark Boost, CEO of UK cloud firm Civo, said organisations, particularly in regulated industries, are considering their options. “Geopolitical volatility has led to new perspectives on digital infrastructure. The previous reliance on US-based companies to be the sole providers of our cloud and technological needs can no longer be taken as a given."

He continued: “Commitments to boost Europe’s AI and cloud ecosystem can be seen as positive. However, while the CLOUD Act remains in force, enterprises and governments cannot depend upon US hyperscalers to keep their data fully private, regardless of the physical location of their infrastructure. Until this is addressed, hyperscalers cannot offer true sovereignty, and firms that are crying out for it will need to look elsewhere.”

So, can European providers step up to provide services that match the scale and breadth of the US CSPs so that organisations can be confident of migrating, like-for-like? So far, the answer to that question is no, but many firms will be looking again at the best place to store their crown jewels.