Achieving cross-border data protection with Microsoft Cloud for Sovereignty

Achieving cross-border data protection with Microsoft Cloud for Sovereignty

Microsoft’s Kathleen Mitford and Satish Thomas explain how organisations are using the platform to accelerate digital transformation while prioritising regulatory compliance and data security

Alice Chambers |

Organisations are paying for their data protection mistakes. Failure to comply with the European Union (EU)’s General Data Protection Regulation (GDPR), for example, can result in fines of up to €20.3 million ($22.1 million) per company or four per cent of the business’ total global annual turnover. Meanwhile, financial penalties for neglecting the directive on security of network and information systems, which manages the risks posed to essential enterprise services and digital service providers in the EU, can reach up to £17 million ($21.3 million). These are just two examples of the many regulations governing how governments capture, store and share data to ensure they can adequately protect it against cyberthreats and safeguard the privacy of individuals. 

To avoid substantial financial penalties, as well as reputational damage and legal action from aggrieved data subjects, businesses are developing data sovereignty strategies to ensure they meet the laws of the country that their data resides in. In particular, data sovereignty has become a more pressing issue with a variety of governments and organisations migrating to the cloud. While Microsoft Azure is already compliant with GDPR to protect the privacy of data, governments and businesses want to go beyond this to ensure they can meet national security requirements too. Accenture’s Sovereign Cloud Comes of Age in Europe report found that an increasing number of enterprises are prioritising cloud sovereignty by 2024, especially in sectors such as travel and hospitality, where 98 per cent of firms have already started developing their sovereignty strategies or are planning to by the end of 2023. In addition, 90 per cent of organisations in consumer goods and services and 85 per cent of those in public services are also doing the same.  

“Many organisations want to take advantage of the benefits of the cloud while also managing their data in accordance with local policies and regulatory requirements,” says Kathleen Mitford, corporate vice president of global industry marketing at Microsoft. “At Microsoft, we believe in transparency and in empowering governments to be in control of their data, so we view data sovereignty as a critical aspect of our cloud infrastructure strategy. This provides a secure avenue for modernising technology infrastructure and workflows to transform services and create better opportunities for social and economic growth.” 

Corporate and public sector organisations are keen to leverage the latest technological innovations like artificial intelligence, digital identities and online services, but first they need to determine where their data should reside and how best to protect it. Microsoft is helping customers to do this.   

“Microsoft has a strong track record in data sovereignty and compliance,” says Satish Thomas, corporate vice president of Microsoft Industry Clouds. “We help our customers meet over 100 national, regional and industry-specific requirements, providing a foundation for compliance. In July 2022, Microsoft announced Microsoft Cloud for Sovereignty, a new solution that enables governments to deploy workloads in Microsoft Cloud while helping to meet their specific sovereignty, compliance, security and policy requirements. The solution creates software boundaries by using hardware-based confidentiality and encryption controls in the cloud to establish the extra protection governments require.” 

Microsoft Cloud for Sovereignty became generally available in December 2023.There is a growing number of countries that are introducing data protection and sovereignty laws. The Accenture report found that 137 countries have enacted some form of data protection and sovereignty laws. Europe, in particular, has been driving the digital sovereignty agenda with 84 per cent of surveyed organisations saying that EU regulations have had a moderate-to-large impact on the way they handle data. Microsoft’s solution will help businesses to comply with these regulations.  

“The capabilities of the Microsoft Cloud already deliver on the requirements, regulations and standards of most government organisations, but the additional capabilities we’re providing with Microsoft Cloud for Sovereignty are designed specifically for countries with jurisdictional requirements around sensitive data,” explains Thomas.  

Microsoft Cloud for Sovereignty also offers governmental organisations the opportunity to gain a competitive advantage by moving to hyperscale cloud platforms so they can take advantage of new technologies, all while remaining compliant with data protection and sovereignty regulations. 

“We’ve seen governments around the world begin to make this shift from local private data centres to realising the vast array of capabilities and benefits only a hyperscale cloud provider can provide, with new innovations like generative AI and large language models (LLM) acting as an even greater catalyst for this movement,” says Thomas. “LLMs are helping public sector organisations to provide enhanced customer service experiences that make government services more accessible and less time-consuming. Our intention with Microsoft Cloud for Sovereignty is to unlock cloud innovation, such as Azure OpenAI Service, for governments through tailored sovereign controls. Our technical approach is grounded in repeatable best practices designed to help customers achieve their regional and national requirements.” 

Mitford adds: “Since the inception of the cloud, government customers have faced limitations with cloud adoption, in part because they need controls to meet specific national and regional requirements. Over recent years, innovators within governments around the world have asked for alternatives to the heavy capital expense and operational costs associated with a legacy approach of private data centres, both to reduce the overhead of owning and operating data centres and to facilitate modernisation.”  

Organisations have struggled to meet the needs of citizens while their data has been held in on-premises data centres, with limited server space restricting data storage options and the need to physically connect to servers limiting work flexibility. However, the cloud offers governments the ability to operate with agility. 

“With Microsoft Cloud for Sovereignty, governments don’t have to choose between digital innovation and control over their data,” says Mitford. “They can implement secure, consistent and compliant environments, and adhere to evolving local regulations while taking full advantage of the cloud. Governments that adopt the cloud benefit from the latest innovations including AI, digital identities and online services, but those that maintain or expand their private cloud investments may not benefit from the same growth and innovation.” 

Microsoft’s ecosystem of partners is also adding value to data sovereignty initiatives, especially for public sector organisations. For example, Atea is the first partner in Sweden to offer Microsoft Cloud for Sovereignty to its public sector customers. The firm has worked with the solution for over a year and is helping its customers to ensure their data meets evolving protection policies, such as the EU-US Adequacy Decision in July 2023 under the EU GDPR that now allows data transfers to the USA to be made without extra protection measures.  

Meanwhile, Leonardo – a technological partner for governments, defence agencies, institutions and enterprises in Italy – is working with Microsoft to build a solution that meets the Italian government’s data classification standards and supports the country’s goal to migrate 75 per cent of its public administration to the cloud by 2025.  

Plus, Inspark – a Microsoft Cloud Incubator for governments and enterprises – is working to provide a compliant approach to meet the demands of Dutch public sector customers, such as the Municipality of Amsterdam, with Microsoft Cloud for Sovereignty. The solution allows Inspark to leverage cloud capabilities for processes that use or create sensitive information, which in turn enables the Municipality of Amsterdam to offer modern services and experiences for citizens by migrating to the cloud in compliance with the Dutch BIO regulations for information security.  

“Partners are critical in this space,” says Thomas. “Governments need partners who understand the technical controls in the cloud and can help tailor those controls to individual countries and regulations. Our collaboration with partners who deeply understand national requirements enables us to provide a global solution for local requirements. These requirements are often complex due to a layered landscape of evolving policy, trends and regulations. Partners are helping to build policy packs that localise the sovereign landing zone to different geographies, assisting in determining which sovereign controls are appropriate for which data.” 

Microsoft is also investing in strategies to enable independent software vendors to produce a single global standard that will meet most of the requirements in a given country. “We hope this can bring some great solutions to our government customers and open up new opportunities for our vendors,” concludes Thomas. 

Partner perspectives 

We asked a selection of Microsoft partners how they are helping customers to capitalise on the value of their data and adopt AI to empower their workforces, increase customer engagement and gain a competitive advantage. 

“Entrust’s solutions help our customers implement the ‘never trust, always verify’ principle we see in zero trust, as it’s a cybersecurity best practice worth following to ensure data can only be accessed by the right entity, in the right way, at the right time,” said Samantha Mabey, director of digital solutions marketing at Entrust. 

“Blue Yonder is accelerating business transformation for agility and resilience at a speed and scale appropriate for each organisation,” said Shri Hariharan, head of manufacturing industry solutions at Blue Yonder. “It provides a calibrated evolution on a cloud-native cognitive platform, which is powered by composable software-as-a-service microservices to help organisations simplify time to launch and realise predictable and faster return on investment.” 

“Copilot helps technicians transform into a proactive force by liberating them from mundane tasks, while unleashing a new scale of operational efficiencies and revolutionising service experience delivery,” said Santhosh Nori, go to market and marketing lead at Infosys. “Infosys is leveraging Field Service Copilot to empower technicians with real-time data and insights along with predictive work order management and generative AI to not only achieve high first-time fix rates, but also to improve the quality-of-service requests.” 

“Data from isolved’s Voice of the Workforce (2023-2024) report, which surveyed more than 1,100 full-time employees, found that 90 per cent of them say their experience as an employee directly impacts the experience they provide to customers,” said Lina Tonk, chief experience officer at isolved. “This underscores the importance of investing in the development and wellbeing of employees to create a motivated and engaged workforce.” 

“Synergy Technical was among the first to advocate for, and assist clients with, migrations to cloud-native identity and infrastructure, which helped many of our clients weather the pandemic with few, if any, configuration changes,” said Adrian Amos, sales engineer and solutions architect at Synergy Technical. “We are spearheading the adoption and readiness for Copilot to find those complex data integrations and deliver insights to clients to help them prepare for whatever challenges come next.” 

Read more from these partners and others in the Winter 2023 issue of Technology Record

Subscribe to the Technology Record newsletter

  • ©2024 Tudor Rose. All Rights Reserved. Technology Record is published by Tudor Rose with the support and guidance of Microsoft.