Data sovereignty refers to the laws and governmental policies applicable to data stored in the country where it originated and is geographically located. Over 100 countries have some sort of data sovereignty laws in action that restrict data storage and transfers. Perhaps the best-known example is the EU General Data Protection Regulation (GDPR), which mandates how the personal data of people in the EU must be treated, regardless of where the organization collecting the data is located.
These laws can be far-reaching and vary by country or legal jurisdiction (e.g. at a state or provincial level), increasing complexity. Often, data privacy laws extend not just to data but to metadata, accounting, support, and backup data. They may limit where and how data can be stored or used and who can access it. For example, non-citizens might be prohibited from accessing government data.
VMware helps customers comply with rapidly growing and changing data privacy laws, ensures that data sovereignty, data residency, data access, and jurisdictional control are securely managing customer’s most sensitive data. This allows organizations to unlock the power of data while preventing access by foreign authorities by using local VMware Cloud Verified Providers that store all data, including metadata and backups, within the local jurisdiction with no external dependencies. Data in a sovereign cloud is isolated from the provider’s core network and the internet so it stays under the control of the data owner. Data center operations are carried out by vetted sovereign citizens to comply with sovereignty regulations. With VMware, organizations maintain control of their data while also complying with data privacy and sovereignty laws.
The first step to complying with data sovereignty and privacy regulations is to understand your data, where it’s located, and the data residency, privacy, and sovereignty policies for each respective location. This requires classifying your data.
Sovereign Cloud is a type of cloud computing that prioritizes data residency and sovereignty for organizations. This means that the data is stored and processed in a geographic location subject to the privacy laws of the nation where it is collected, ensuring compliance with privacy laws and data protection regulations. These national or regional regulations and laws govern everything from where data resides geographically to cross-border data flow.
A Sovereign Cloud must have five characteristics to provide the assurances customers need:
- Data sovereignty and jurisdiction control
- Data access and integrity
- Data security and compliance
- Data independence and mobility
- Data innovation and analytics
Sovereign clouds are secure in a completely locally-built, attested platform that is customized, maintained, and compliant with local laws and regulations. VMware Sovereign Cloud helps organizations comply with data privacy laws by partnering with local cloud providers to build sovereign clouds based on VMware’s framework that are based entirely within a local jurisdiction. These VMware Cloud Verified and approved Sovereign Cloud initiative approved partners have local staff with security clearances (if required) and expertise with local laws to ensure the compliance of the sovereign cloud environment. VMware partners must include security controls as part of the 20-point self-attestation process. These partner/providers offer continuous compliance monitoring, reporting, and remediation so data follows local and industry regulations.
To maintain control over your data, look to our locally hosted sovereign cloud to keep sensitive data secure and compliant. A sovereign cloud prevents compelled access by foreign authorities that could violate data privacy laws and reduces the risk of exposure of sensitive data or metadata.
It is managed by sovereign citizens to comply with strict data sovereignty rules. In a sovereign cloud, the resident domain is isolated from the provider’s core network and the internet. Management and control planes are hosted entirely within the sovereign cloud, with no external dependencies that could result in data leaving the sovereign boundary. No data is stored outside the country, including backups, metadata, accounting, or support information.
With a sovereign cloud, you can ensure the utmost security, including bringing your own encryption keys so the cloud provider cannot access your data. A sovereign cloud protects your data’s privacy and sovereignty through controls and services unavailable in commercial clouds.
VMware’s Sovereign Cloud initiative is a global collection of cloud provider partners who are committed to helping customers comply with rapidly growing and changing data privacy laws. Sovereign cloud providers ensure that data sovereignty, data residency, data access, jurisdiction, control, and much more are met with the assurance that customer’s most sensitive data is managed securely. This allows organizations to unlock the power of their data while remaining compliant with data privacy regulations.
VMware Sovereign Cloud partners deliver Cloud Verified services with architecture built on VMware Validated Designs (VVD) for Cloud Providers, meaning they can design, architect, and secure compliant clouds fast, efficiently, and cost effectively for a lower TCO. VMware Sovereign Cloud providers must self-attest to a framework of guiding principles, best practices, and technical architecture requirements to deliver cloud services that adhere to the data sovereignty requirements of the specific jurisdiction in which that cloud operates (as mandated by the relevant government or commercial body). VMware Cloud Providers that meet this framework can be invited to join the initiative.
An enterprise that successfully implements a Sovereign Cloud can achieve the following benefits:
- Prevents access by foreign authorities
- Ensures all data is kept within the local jurisdiction
- Ensures data privacy and sovereignty
- Isolates data from the provider’s core network and the internet
- Maintains data control and access by the owner
- EnsureEnsures compliance with sovereignty rules
- Utilizes data classification tools to determine which regulations apply