In the previous blog post in this series on edge computing, we talked about distributed cloud and its promise of managing remote locations from a single control plane. We also saw how distributed computing empowers edge computing by bringing the power to process large amounts of data at the data source. That inherently satisfies the data residency requirement that many industries and countries seem to require these days, but the question about data sovereignty is debatable. Data sovereignty is defined as data being subject to the laws and governance structures from within the jurisdiction where it is generated or collected.
In this blog post, we discuss data sovereignty and how it is addressed by distributed computing at the edge. But first, we must understand digital sovereignty. Digital sovereignty is the right of the nations, organizations and citizens to have control over their digital autonomy and their data. Since it is all about data, that is where sovereign cloud or data sovereignty comes in — where does the data reside, where is the data flowing and who has control over it?
Enter the sovereign cloud! Figure 1 is taken from an IBM blog post written by Hillery Hunter and Dan Waugh: “Addressing Regulations and Driving Innovation with Sovereign Cloud.” While illustrating the sovereign cloud hierarchy of needs, it provides IBM’s view of the nature of sovereign cloud. Edge computing, as we know it, addresses the data locality aspect. There are other aspects to consider when discussing sovereign cloud:
Figure 1: Sovereign cloud hierarchy of needs.
Nations are putting regulations in place that are designed to help protect and control locally generated data and assert countries’ rights to technological autonomy. The primary objective is to protect data and the privacy of citizens, businesses and government organizations against misuse, exploitation and cyberthreats.
In the U.S., there is the Clarifying Lawful Overseas Use of Data Act or the CLOUD Act (link resides outside ibm.com)(2018), which compels U.S.-based vendors to “disclose the contents of an electronic communication or non-content records or information pertaining to a customer or subscriber, regardless of whether the communication or record is located within or outside the United States.”
Sovereign cloud can help deliver the levels of security and data access required to meet specific local jurisdiction laws on data privacy, access and control. With this market expected to reach 71.2 billion USD by 2027, it is no surprise that hyperscalers are coming out with sovereign cloud offerings. Microsoft recently launched Sovereign Cloud for Governments, which seems to be geared for European countries. It says the Azure sovereign clouds will be isolated in-country platforms with independent authentication, storage and compliance requirements.
Distributed cloud and edge computing might seem counter to the notion of data sovereignty and sovereign cloud, but they aren’t. The key requirement seems to be the location of the management control plane. Customers are asking for the cloud control plane to be within certain boundaries. As long as the edge locations are still within the nation’s borders, they can be part of the distributed cloud paradigm and also satisfy the sovereignty requirement. Let’s sketch this out with some examples:
Figure 2 shows the IBM Cloud Satellite topology where the Satellite locations in a country are servicing far edge instances also located in within the country borders. The management control plane is in IBM Cloud. As pointed out in a previous blog, each location has its own control plane. All client data is kept local and none of it is moved to the cloud. Even the site reliability engineers (SREs) managing the environment do not have any visibility to that data:
Figure 2: IBM Cloud Satellite topology.
Data residency is defined as the geographic location where customer data is located. Given that definition, the above topology satisfies the data residency requirement because all client data is stored and processed in that Satellite location.
Figure 3 is slightly different. It shows a distributed topology where the remote locations in a country are servicing far edge instances located within the country, and the management control plane is also within the country borders. As before, all client data is kept local and none of it is moved to the cloud. Even the management of all the remote locations is “local”:
Figure 3: Sovereign cloud topology.
The above scenario harkens to data sovereignty, which refers to the fact that information is subject to the privacy laws and governance structure of the nation from which the data is collected. It allows for data protection and compliance with privacy laws governing data storage and handling within a certain jurisdiction.
Data residency refers to the geographical location of the data, whereas data sovereignty relates to the laws and governance that data is subject to while it is processed at a geographical location. We should point out that data sovereignty does not equate to cloud sovereignty; it is but one facet of sovereign cloud.
Digital sovereignty refers to the idea that data is subject to the laws and governance of the nation it is collected in. Thus, sovereign clouds are often used within geographical boundaries where there’s a strict data residency requirement.
Depending on the location of the IBM Cloud Multizone Region (MZR) being used, IBM Cloud Satellite can function as a sovereign cloud in many cases. Otherwise, the next best option is to offer all facets of sovereign cloud except where there are strict governance laws pertaining to the management control plane.
What is the impact of all these sovereignty discussions on application development? How do sovereign clouds impact SaaS applications? Should the application be deployed within the scope of a sovereign boundary?
Let us know what you think.
Special thanks to Dan Waugh for providing his thoughts and reviewing the article. Also, thanks to Joe Pearson for reviewing the article.
Please make sure to check out all the installments in this series of blog posts on edge computing: