Building trust in cloud is at the heart of a new movement in Europe to generate value from data and technology innovations.
Europe’s vast troves of industrial data have grown even larger because of the accelerated digitization during the global lockdown.
In an era of fast-growing information technology innovations, it is crucial to put these innovations into action to address the challenges of society, organizations and enterprises. The true value resides in solutions and services that solve these challenges. It requires a multidisciplinary, ecosystem approach. All European sovereignty initiatives should encourage and reinforce any form of collaboration leveraging existing technology innovation to create meaningful use cases for industries and society in a climate of trust.
Let’s explore the stakes of digital sovereignty and some of the initiatives led by governments and cloud service providers (CSPs) and show how organizations can benefit from them.
Digital sovereignty of the winning kind
Digital sovereignty is one approach spearheaded by the EU. Digital sovereignty can take many forms; here we lay out five essential pillars of success:
- Strategic autonomy: Enable European organizations to build new businesses and services for clients and citizens that leverage existing technology in secure and trusted ways and take advantage of huge amount of European data. It requires 1) digital trust (e.g., data protection, cyber-resilience, shared values); 2) capacity to embrace technology (including all the innovations, rather than reinventing the wheel); and 3) an ecosystem approach of all stakeholders: those who understand the challenges of a given sector (e.g., finance, health, industry, etc.), those who provide the technology and those who can put it in action and implement it.
- Thriving innovation through an ecosystem approach: The ecosystem approach is not only necessary to unite the strength of different types of stakeholders (e.g., industries, technology providers, system integrators) but also to bring together the representatives of the same industry (sector) into trusted spaces to access and share data and to collaborate to enable the invention of new services (e.g., for anti-fraud).
- Increased protection of personal and industrial data and IP: Digital transformation and ensuring a safe and secure data economy are not mutually exclusive. The challenge is to make it easier for organizations to achieve high levels of data protection. This high level of data protection can be achieved through contractual engagement, certifications and advanced security technology, security measures and real-time compliance controls and reporting. These high security and protection standards should apply to the data (especially sensitive data). The organizations must keep full control and ownership of their data and the insights that derive from these data to drive innovation.
- Improved cybersecurity: Last year, we again saw a record number of security incidents that impacted data and enterprise’s operations — paralyzing businesses and organizations. While cloud is bringing a set of security measures combined with a number of certifications to ensure a high level of security standards, the split of responsibilities between cloud providers and users might introduce some confusion or ambiguity. Clarity and the right level of awareness for users are key to ensure cyber-resiliency. The clarity must be based on two pillars:
- Cloud service provider (CSP) cyber-resilience (often called “security below the line”), which is composed of a set of security measures, processes and controls as well as specific security services to which users can subscribe. The level of the CSP’s cyber-resilience is demonstrated by a set of obtained certifications (e.g., ISO security-related certifications, SOC2 certification and any specific certifications by industry) and any other industry-specific control tools (e.g., IBM Security and Compliance Center for Financial Services).
- “Above the line” cyber-resilience relates to specific measures that the clients should put in place to complement cloud providers’ cyber resiliency. Cloud users are responsible for subscribing to specific services tailored for the security requirements of their environment (e.g., IBM Cloud Hyper Protect Crypto Services with level 4 cryptographic module) and putting in place an overall security monitoring and control.
- A new generation of talent: Educate, re-skill and up-skill students and professionals to develop and deploy the infrastructure and services needed to drive the data economy.
Digital sovereignty initiatives
There are a number of initiatives to achieve the goals of digital sovereignty:
- The EU Cloud Code of Conduct — assurance of the highest privacy and security standards in the Cloud: IBM has been a leading force in developing the EU Data Protection Code of Conduct for Cloud Service Providers and was the first to adhere services to the Code in 2017. The Code is independently monitored and contains rigorous assurances — including the GDPR compliance measures — for the protection of data in cloud services. The EU Cloud Code of Conduct has received official approval by the Lead Data Protection Authority. This approval ensures and proves that signed-up services not only comply with the GDPR but go even further in terms of trust, accountability and transparency. With the Code of Conduct, cloud users using a cloud service that adheres to the Code can be confident that they are complying with the GDPR and that their data is secure.
- GAIA-X — a European cloud infrastructure: GAIA-X will lead to Europe’s next generation of data infrastructure — cooperation between European countries and cloud companies on a federated cloud system that lets organizations harness the benefits of cloud computing and collaborate with partners without being locked into vendors. IBM is a member of GAIA-X. We share its objectives regarding responsibility, security and data protection as well as interoperability, portability and the promotion of open standards and environments.
Providing technical safeguards
To be a part of the trustworthy data economy, organizations need to have the choice of the best privacy and security solutions. IBM prioritizes providing first-of-a-kind privacy, preserving technologies to support data sharing within and between organizations. Some of our latest innovations will help organizations be a part of a European trust-based data economy:
- Confidential computing: A real breakthrough is our “confidential computing” capability. For years, cloud providers could only offer encryption services that protected data “at rest” and “in transit,” leaving data “in use” vulnerable. IBM’s confidential computing continuously encrypts and protects data throughout the entire computing lifecycle, including when it is being processed in memory. This holistic approach to data protection opens up exciting new possibilities to leverage cloud innovation and successfully addresses some of the security and privacy concern.
- Keep Your Own Key: "Keep Your Own Key" is an industry-leading encryption technology that allows businesses to maintain control over their own encryption keys, meaning they are the only ones who can control access to their data. IBM's leadership in this area is supported by the highest level of security certification available in the market.
- Hybrid cloud: Hybrid cloud allows users to benefit from technology innovations (usually born in the cloud) in any deployment model (e.g., public cloud, on-premises, at the edge). Hybrid cloud today is not about connecting local data center IT to public cloud anymore, but rather truly bringing cloud services wherever the organization decides with all possible operational models — as a license (managed by clients) or managed by the cloud provider. IBM’s hybrid cloud approach leveraging largely open sources offers portability and the full freedom of choices in terms of deployment and operational models.
- EU-only services: EU-only services enable clients to store and process data in the European Union. IBM’s EU-only option ensures that clients’ data are stored and processed in the EU and that EU-based personnel make updates and perform operations of cloud services. Should a need arise for non-EU personnel to access the infrastructure or a service (e.g., level 3 incident that cannot be solved by EU-personnel) the access permission is subject to approval process and strict controls. IBM has extensive and unmatched data storage and processing capabilities in the EU. We have been providing EU-only support for our cloud services since 2017 (prior to the GDPR). Our cloud infrastructure in Frankfurt is C5-certified by the German cybersecurity agency BSI.
Trust and transparency are fundamental to realizing the full potential of the data economy. Europe’s focus on trusted cloud creates new opportunities for businesses.
IBM supports the EU’s efforts to build greater trust in the digital economy and to become a leader in a values-based digital revolution. For years, IBM has been participating in EU initiatives (among others: EU Cloud Code of Conduct and GAIA-X) to contribute to building digital trust. IBM adheres to European values and complies with EU regulations and the highest security standards.
As reiterated by IBM EMEA Chairman Martin Jetter today, our commitment is and has been crystal clear. IBM European entities are subject to their national jurisdiction and will reject any demand from authorities that have no jurisdiction over them to access the data entrusted to them by an enterprise or organization.
IBM is there to help support the EU in its work, to keep our clients abreast of developments and to help them generate value from their data.