Skip to Content

Microsoft Cloud for Sovereignty: Maintain control over strategic digital assets

Sjoukje Zaal
20 Sep 2022

Governments and organizations are focusing on digital transformation to fundamentally transform the way they operate and deliver services to their customers. Cloud adoption has increased tremendously in the last couple of years, also due to the COVID-19 pandemic. But as they move to the cloud, organizations want to maintain the same level of control over their IT resources as they have in their data centers. Concerns about cloud sovereignty, which include data, operational, and technical issues, are not new and have been increasing because of rising geopolitical tensions, changing data and privacy laws in different countries, the dominant role of cloud players concentrated in a few regions, and the lessons learned through the pandemic. As a result, governments and organizations are reevaluating their external exposure and looking for ways to maintain physical and digital control over strategic assets.

To adhere to these concerns, Microsoft has released a new solution called Microsoft Cloud for Sovereignty. This solution is aimed to meet compliance, security, and policy requirements that governments and organizations are facing. With the addition of Microsoft Cloud for Sovereignty, governments and organizations will have more control over their data, and it will increase the transparency of operations and governance processes of the cloud.
Microsoft Cloud for Sovereignty is designed to be a partner-led solution, where partners will play a vital role in delivering the solutions. One of Microsoft’s European Cloud principles is that Microsoft will provide cloud offerings that meet European government sovereign needs in partnership with local trusted technology providers. Also, Capgemini and Orange have been working closely together with Microsoft, and will start supporting clients in preparing for their migration by the end of 2022.

With Microsoft Cloud for Sovereignty, Microsoft is focusing on the following pillars

Data residency

Data residency is the requirement that data must be stored within a specific geographic boundary, such as a national boundary. Azure offers data residency for many services in over 35 countries with over 60 different data center regions worldwide (and growing). This enables residency options for Azure, Microsoft 365, and Dynamics 365, where many clients can store and process their data locally. By implementing policies, clients can meet their regulatory requirements to store their applications and data in the required geographical boundary. For Europe, the forthcoming EU Data Boundary will ensure that data will be stored and processed in the EU and European Free Trade Association.

Sovereign controls

In addition to the specific regions and geographic boundaries where applications and data are stored and processed, Microsoft also offers a set of sovereign controls that provide additional layers to protect and encrypt sensitive data. These controls span the entire Microsoft cloud: SaaS offerings such as Power Platform, Microsoft 365, and Dynamics 365, as well as the cloud infrastructure and the PaaS services that are available in Azure.

The following offerings can be leveraged by clients for sovereign protection:

  • Azure Confidential Computing: Azure confidential computing consists of confidential virtual machines and confidential containers. This enables data to be encrypted in rest, but also in use. Specialized hardware is used to create isolated and encrypted memory, which is called a trusted execution environment (TEE). TEEs guarantee that data and code that are processed cannot be accessed from outside the TEE. Client-owned encryption keys are released directly from a managed HSM (hardware security module) into the TEE. The client keys are secured, also when in use, and it ensures that data is encrypted in use, transit, and in rest.
  • Double Key Encryption (DKE): DKE uses two keys together to access protected content. One key is stored in Azure and the other key is held by the client. It comes with Microsoft 365 E5, and it is intended for the most sensitive data that is subject to the strictest protection requirements.
  • Customer Lockbox: Customer Lockbox ensures that Microsoft can’t access client data and content without explicit approval from the client during service operations. Customer Lockbox is offered for Microsoft 365, Microsoft Azure, Power Platform, and Dynamics 365.
  • Azure Arc: Azure Arc extends the Azure services, management, and governance features and capabilities to run across data centers, at the edge, and in multicloud environments. Clients can centrally manage a wide range of resources, including Windows and Linux servers, SQL Server, Kubernetes clusters, and other Azure services. Virtual machine lifecycle management can be performed from a central location. Governance and compliance standards can be met by implementing Azure Policy across these different resources. And services such as Azure Monitor and Microsoft Defender for Cloud can be enrolled as well.
  • Sovereign Landing Zone: Microsoft Cloud for Sovereignty will include a Sovereign Landing Zone. This landing zone is built upon the enterprise scale Azure Landing Zone and will make deployments automatable, customizable, repeatable, and consistent. This landing zone will extend into Azure Information Protection, which also enables policy and labeling for access control and protection on email and document data. Clients can also define custom policies to meet specific industry and regulatory requirements.

Governance and transparency

The Government Security Program (GSP) provides participants from over 45 countries and international organizations, represented by more than 90 different agencies, with the confidential security information and resources they need to trust Microsoft’s products and services. These participants have access to five globally distributed Transparency Centers, receive access to source code, and can engage on technical content about Microsoft’s products and services. Microsoft Cloud for Sovereignty will expand GSP to increase cloud transparency, starting with key Azure infrastructure components.

Wrap up

In this article I wanted to focus on what Microsoft Cloud for Sovereignty has to offer for clients who want to leverage the Microsoft cloud for their digital transformation journey, but also want to maintain the same level of control over their IT resources as they have in their own data centers. Cloud adoption has accelerated enormously in the last couple of years, which also makes cloud sovereignty much more important for governments and organizations. Microsoft offers the tools, processes, and transparency to partners and clients to support the increasing sovereignty requirements that clients have on their datival [SP1] [SP2] [SP3] transformation journey.

Due to these increasing sovereignty requirements, Capgemini has conducted research to look deeper into organizational awareness and key priorities when it comes to cloud sovereignty and the role it plays in overall cloud strategy. We have released a whitepaper with our findings, which can be downloaded here.

At Capgemini, we have a lot of experience in implementing cloud solutions across all industries. If you would like more information about how we do this for our clients, you can contact me on LinkedIn or Twitter.

You can also read my other articles here.

Sjoukje Zaal

Head of Microsoft Cloud Center of Excellence