Skip to content
Cyber Security Inside Podcast

What That Means with Camille: Cloud Sovereignty (179)

In this episode of What That Means, Camille gets into cloud sovereignty with guest Mauro Capo, Managing Director and Cloud First/Sovereign Cloud Lead at Accenture, and co-host Paul O’Neill, Director of Strategic Business Development in Intel’s Confidential Computing Group. The conversation covers the current state of data sovereignty, particularly in Europe, and the technology solutions making sovereign cloud a reality.

To find the transcription of this podcast, scroll to the bottom of the page.

To find more episodes of InTechnology, visit our homepage. To read more about cybersecurity, sustainability, and technology topics, visit our blog.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Follow our hosts Tom Garrison @tommgarrison and Camille @morhardt.

Learn more about Intel Cybersecurity and the Intel Compute Life Cycle (CLA).

The Current State of Data Sovereignty

Paul and Mauro give a closer look at the current state of data sovereignty and the cloud, primarily in Europe where both of them are located. While the concept of the sovereign cloud is not new, it has recently gained more attention with the increasing dependency on U.S.-operated hyperscale cloud providers. This growing dependency has led to a growing need to fuel economic growth in the EU to drive digital innovation by delivering social value back into the local communities and economies from where the data originates.

Mauro describes Europe as like an open lab right now when it comes to cloud sovereignty. Even the definition of the sovereign cloud can be interpreted in slightly different ways. However, Mauro does define three classes of data sovereignty: how data is stored, managed, and protected. There’s also compute and operational sovereignty to consider. Overall, the sovereign cloud ends up being a combination of technology solutions and processes that balance compliance, trust, regulation, and innovation.

Technology Solutions to Bring About the Sovereign Cloud

When it comes to implementing data sovereignty in the cloud, Paul outlines three options: building on-premise sovereign solutions, turning to regional cloud providers for help, and introducing sovereign controls from U.S. cloud providers. These sovereign control options include Microsoft Cloud for Sovereignty, Google Cloud Hosting (GCH) solutions, the AWS Digital Sovereignty Pledge, and even solutions from Intel. Mauro says these solutions are helping to close the gap very fast between compliance with regulations and innovation with technology.

Paul and Mauro also identify confidential computing as another great innovation as part of cloud sovereignty to keep data encrypted while at rest, in motion, and in processing. The next step is to bring confidential computing to on-prem clouds, national clouds, and hyper-scalers, along with adding stations where data privacy and compliance officers can better understand how trust is put into the cloud.

Mauro Capo, Managing Director and Cloud First Lead ICEG at Accenture & Sovereign Cloud Europe

Mauro Capo cloud sovereignty sovereign cloud data sovereignty

Mauro Capo is Managing Director at Accenture, where currently serves as Cloud First Lead ICEG, Sovereign Cloud Lead Europe, and Cloud First HPS Lead ICEG. He has been with Accenture since 2012, working in a variety of different roles in the company. Before Accenture, Mauro was at IBM for nearly a decade. He has an MBA in management from the Henley Business School, as well as a Master’s degree in Electrical Engineering from Università degli Studi di Napoli Federico II.

Paul O’Neill, Director of Strategic Business Development in Intel’s Confidential Computing Group

Paul O'Neill cloud sovereignty sovereign cloud data sovereignty

Paul O’Neill has been with Intel since 2013 and currently works with the Confidential Computing Group as Director of Strategic Business Development. He specializes in security, confidential computing, data protection, and cloud services. Paul has spent over 20 years successfully delivering technology-driven solutions to clients, and he has worked across many geographies. He has a degree in Marketing from Technological University Dublin.

Share on social:

Facebook
Twitter
LinkedIn
Reddit
Email

Camille Morhardt  00:36

Really looking forward to a conversation today with the Head of Sovereign Cloud from Accenture in Europe Mauro Capo. And I’m going to co-host this episode with my colleague at Intel who works in Confidential Computing. His name is Paul O’Neill. And he’s joining us from Ireland.

Paul O’Neill  00:56

Pleasure as always, Camille.

Camille Morhardt  00:58

I’d like to ask Mauro to define sovereign cloud. But before we do that, Paul, could you give us a framework or a baseline to even start contemplating this topic?

Paul O’Neill  01:08

So the sovereign cloud really isn’t kind of a new concept. It’s been around in the cloud industry, I guess, for a few years now. But it’s gained renewed importance in the last couple of years for a couple of key reasons. And they’re kind of important reasons for the listeners, right. The first is that there’s a growing recognition that when we use hyper-scale, public clouds, like AWS, or Azure, all of your data may not necessarily sort of remain on sovereign soil, right, in the country in which it was generated. The hyper-scalers make a really important distinction between customer data versus metadata are your account information. And if you read privacy statements, etc, they reserve sort of the right to store that metadata in any location, including in the United States. So that really kind of causes a bit of a yellow flag for many of the data privacy officers. Merrill Lynch compliance is the real tailwind for a sovereign cloud.

The second piece that you see a lot of—or another change, if you will, that we’ve seen in the industry–is the idea of foreign access to that critical data. So for example, in 2018, the United States brought in legislation called the US Cloud Act. And the US Cloud Act basically says that US authorities can assert jurisdictional control over data from any cloud provider that subject to US jurisdiction. So that means that US courts, US law enforcement, or US security agencies can now potentially assert authority over data that sits in any cloud region in the world. So that’s a big concern for those who are generating data here in Europe as a critical dimension.

And the third thing, I think that we see a lot of which is very important for us Europeans here, we see Angela Merkel talk about a lot. Emmanuel Macron. Talk about the concept of the digital dependency on the US–digital dependency on US operators–and the need to really fuel economic growth within the European Union to drive sort of digital innovation. And the fourth thing, I think, is how we bring this all together, what we’re starting to see as more of a desire to deliver sort of social value back into our local communities and back into local economies. So for example, here in Ireland, you could take Irish car registrations, for instance. And on the surface, you know, this data has a lot of value around people movement, automotive spend carbon output and the like. But this information is really exploited to its potential through machine learning tools, it can form a huge amount of decision making in both the public and private sectors, if you will. And that’s kind of the point around sovereignty, right? It’s the desire to create value, from baseline data that flows back to the people for whom it will provide the most benefit. And so from the Intel perspective, they’re the real drivers that are put a spotlight on the renewed importance of sovereign cloud.

Camille Morhardt  03:59

Welcome to the podcast, Mauro.

Mauro Capo  04:02

Thank you for joining me today.

Camille Morhardt  04:09

Sovereign cloud, Mauro. Can you give us a brief explanation of what it is?

Mauro Capo  04:27

Typically, it depends on the way organization and public administration look to their challenges in protecting data, getting as much as possible control on how data is managed, how people operate data to deliver digital services. So it’s mostly in the eye of the beholder. We tend put sovereignty into big classes that refer to data sovereignty. So exactly how data are stored, how data managed, how data are protected, and then how data compute; then there is the big box of operational sovereignty. So the people that manage data and application services, I mean, which nationality they have? What are the processes that they have to follow to manage digital services, and finally, the software and application sovereignty? So who’s reading the code, which level of transparency do we have on the algorithms; so all these challenges all these dimensions goes under the big head of sovereignty.

Sovereign cloud is the set of solutions, that enables to gain some form of sovereignty in these classes. So it’s not one single solution is not one single provider is a combination of technology solution and processes to achieve those challenges, which are at the end means finding the right balance between getting the right compliance and right trust on the type of platform you’re using, and being able to get as much as possible compliant to the regulation you have to be following and getting also at the same time, access to the best innovation possible.

Paul O’Neill  05:48

You know, Mauro and the team at Accenture are working on a lot of different types of projects that are taking data within country to drive back those benefits.

Camille Morhardt  06:18

Yeah, Mauro, can you give us some examples of customers, what they’re interested in what they’re looking for?

Mauro Capo  06:23

The COVID pandemic showed us how important to deliver digital services at scale and fast. And at the same time, we’re seeing clients that are pushed by national policies, and guidelines and laws in some cases, to act. So those kinds of clients were cautious of adopting the cloud, because they felt that the platform they were able to adopt at that point of time was not considered trusted; now they have the options, and they are moving into the adoption phase. Some others are getting into the sovereignty discussion as industry champions; so they are leading an ecosystem, they consider themselves owners of an important set of data that can be shared with the rest of the ecosystem. Take, for example, the energy companies. Energy companies are basically living in an ecosystem where we have producers, distributors, and retailers of energy. And everybody knows how much energy could benefit from even integration, the energy flows through an even integration of digital services and data. But that’s exactly a good sample of what distributed data architecture could deliver in terms of benefits. Healthcare system is another classical example, on our moving insights, without moving data maybe can help deliver additional value to the constituency, because it gives you trends gives you understanding of what are now the clinic trends are evolving, and so on.

At Accenture, we also interact with another kind of clients that is emerging in in Europe, which are the clients that are presenting themselves to the market as potential provider for sovereign cloud services. So when we think to cloud providers, we tend to think to hyper-scalers basically, but the reality sovereign cloud providers will be multi cloud dive of providers, integrated services delivered from their own data centers, but also integrating and embedding solutions and services coming from hyper-scaler sensor. So we see those provider acting as frontliners to the market, integrating services coming from multiple supplies, and reinforcing this value proposition through sovereign cloud technologies, or operational countermeasures, or organizational structures, that doesn’t exist, doesn’t exist anywhere in the world. In reality, it’s now forming in Europe.

Paul O’Neill  08:34

Yeah, and I think, given that environment that these organizations have to work in now, it’s really forcing new thinking, and how data sovereignty should or could be implemented. I see kind of three ways right? Organizations are now considering building on-prem sovereign solutions–protected within the walls and the jurisdiction that it was created in. But even complex privacy laws may need to drive the need to protect that data to ensure it’s protected and being used for the purposes for which it was collected. And that’s a very important point right? Here in Europe, you really got to understand what that data was collected for. And I think the second thing then is, organizations can also turn to their regional cloud providers for help. Over here we’ve done a lot of work with Deutsche Telekom, for example, who are building cloud services in country. Mauro mentioned healthcare, can look at open sovereign cloud from Deutsche Telekom. And that can help overcome the challenges of knowing which legislation in their data at any point in time because as Mauro said, we’ve got GDPR we’ve got all the other things but it’s also nuanced in each European country. There’s a little layer of nuance there.

But the third is really important because US cloud providers have a really important role to play. They’re looking to fight back by introducing sovereign controls, using some Intel technologies in there that allow customers to assert better controls over how their data is handled in the public cloud. So, you know, Microsoft has launched its sovereign controls, and they’re taking this very seriously. And that’s very encouraging for the European customer base.

Mauro Capo  10:09

Yeah. And also, let me say that Europe is like an open lab in this moment around sovereignty, because while the market shaping by the institutional stakeholders was pushing the market from the top–like imposing rules, imposing some requirements on locations, requirements, and additional personnel, for example, and so on, and so forth, the technology provided from the bottom up, like Paul was mentioning, like Microsoft sovereignty, Google GCH solutions, AWS pledge for sovereignty, including Intel; they were preparing and putting on the market solution that already getting off-the-shelf services, more and more compliant to the regulations. So more and more, they are closing the gap very fast. So we have seen in 12-18 months, the two sides of the market are getting closer and closer in order to get to a set of solutions that the clients really can adopt, we trust. And we stretch now because they get performance and innovation.

Camille Morhardt  11:13

I want to explore that just a little bit more, because I think that’s an interesting push and pull that you’re saying with policy regulation, law, etc. at one end and technology at the other end. And I’m hoping that you guys can just take a moment and explain–I think we all get the regulation side of it–but on the technology side, how could technology potentially alleviate the requirement for literal physical presence in one location, you know, within one physical border versus another physical border or within on-prem versus within a public cloud and still retain sovereignty? And I understand that regulations or policies may not recognize that yet. But I want to know what options there are from a technology perspective.

Mauro Capo  11:58

Take again, health care, or if you think to defensive public safety data. Today, there’s a lot of fuss around generative TBI and artificial intelligence. The example that I think is better fit for this discussion is confidential computing, because confidential computing is taking this bias of having your data in an accessible and vulnerable segment of the IT infrastructure, and is enabling to protect the data not only when they are placed in storage, not only when they move from one side to the other, so in motion, but also during the computing processing; which means that all the lifecycle of the data is covered through a strong protection and a strong encryption. Together with Intel, we have done several testing of this technology in order to confirm that it actually reduces completely the attack surface by malicious operators and also enables collaboration on data driven business model between data providers and data owners that do not have any kind of trust with each other. It’s a very good example, because he’s also helped us move the bar of the regulations that define which kind of data can be overrated in cloud services into the space of strategic and critical data. And that’s technology. It’s not politics, it’s technology.

Paul O’Neill  13:27

Yeah, I think you called it out perfectly. You know, while sort of utilizing any cloud service from on prem cloud to local clouds, or hyper-scalers, that level of trust is required in those providers. And I think confidential computing is probably the most applicable technology to drive that trust. As you said, encryption is often seen as the answer to achieving that level of trust, but we need technologies to work with encrypted data, to combine encrypted data to run confidential AI, etc, etc. And some of the work that we’ve done together was really to bring confidential computing into national clouds, as I said, around even on-prem clouds, but more importantly, in the hyper-scalers. And some of the work that’s going on at Azure, for example, around their sovereign cloud infrastructures that are rolling out in Europe is really all based on confidential computing.

But there are other important aspects to that, as well. We have the role of added stations inside of confidential computing where data privacy officers or compliance officers can understand the process by which trust is inserted into the cloud, right? So where their datasets were accessed, what cloud, and what time etc. So for me confidential computing and the sovereign cloud seem to be a good match of how we can bring technology together to solve real life problems.

We also did see things like modern frameworks for machine learning like TensorFlow, etc. being used in a confidential way with sovereign clouds. Ourselves and Accenture, for example, also worked with Proximus and Belgium where, you know, they are able to define sovereign landing zones on Azure, which fit into what they need from a sovereignty perspective. So a certain dataset, a certain sensitivity, with an automated container based framework can land in the right area at the right time. Look, we’ve only started this journey, Mauro, right?  We’ve got a lot of work to do.

Mauro Capo  15:40

And we need technologists also new roles for played like ourselves, for Intel. This is a new market at the end. This is one of the few cases that I’ve been witnessing of actual reaction from the technology world to a politic vision, and the politic guidelines. Typically, politics follow ups, not the politics, they tend to rule or the market is presenting. In this case, I think that we’re seeing a political push and vision that has been forcing a bit technology players to react.

Camille Morhardt  15:59

Yeah, I had an interview with a representative from Maori and Indigenous Australian Groups A while ago, we talk specifically about indigenous data sovereignty. And so that was kind of, from their perspective, like a subset or a group of people that were interested in preserving the insights or gaining like you were saying earlier, Mauro, gaining access to the insights that were derived from data that was collected on their own group, you know, self-defined group. And I’m just wondering if you guys can talk a little bit about how this data sovereignty affects actual individuals, is this affecting them? Should they be thinking about it should we, as individuals be thinking about it?

Mauro Capo  17:03

It’s affecting them, because it’s for the good of the constituency that this was put in motion; there is an underlying value, that is the protection of fundamental rights of everybody, you know, so being safe about your privacy and your personal data, being confident that the permission that you have granted to service provider in the digital world is correctly used, being aware that your data will be used for the general good of the community rather than for malicious intent. And if I have my government thinking on how to improve my health care system, or if my financial system is more resilient to macroeconomic crisis, well, I feel more confident that my account is working for me, sovereignty goes in this direction, because it gives back control and value to the actual owner. I produce my data, I should be benefiting from the value and the properties that this data can deliver. We live in a digitalized world and every business is a digital business, every company is a digital company, every administration now is a digital administration.

Camille Morhardt  17:57

Can you both just sort of summarize if somebody is now interested in pursuing or better understanding some of these very complex details around sovereign cloud, what is their next step?

Paul O’Neill  18:08

Data is becoming super important for the modern economy, no matter where in the world, you’re, you’re based, right. And we also see that security and privacy expectations are increasing amongst companies and regulators, consumers alike, right. So as Mauro said, we need to make sure that data is collected for a certain purpose and not used for different purposes. But I don’t think there’s a one size fits all for the sovereignty puzzle; it’s likely to be a hybrid or a multi-cloud approach where organizations can choose from all of the sovereign cloud options we’ve discussed here for particular workloads that they’re considering, right. So I think organizations should choose their strategy carefully when considering which approach suits which workload.

For me it’s clear that sovereign clouds need technologies like confidential computing or privacy ?  technologies, if you will, if they’re to achieve the goal of data sharing within a single jurisdiction or regulated organization. Encryption of data is now the norm and building privacy, confidentiality, and especially integrity-based solutions into either a hybrid or multi-cloud sovereign architecture from day one, will make the evolving complexity of data sovereignty easier to navigate for customers and operators alike down the line. I think Mauro from an Accenture perspective, how would you view next steps for potential clients for you here?

Mauro Capo  19:30

Our proposition to enterprises, to clients is join us in our Center of Excellence that we have launched in Europe. We have now five of them.  This is where we collect and consolidate consulting people, security people, cloud people, data people to give a comprehensive solution that you can adopt to address this sovereignty challenge.

Paul O’Neill  20:08

Grazie Mauro!

Mauro Capo  19:54

Happy to have been with you

Camille Morhardt  19:56

Mauro Capo, Head of Sovereign Cloud for Accenture in Europe and Paul O’Neill joining us also from Ireland, working in confidential computing for Intel. Thank you so much for your time today.

Mauro Capo  20:08

Thank you very much.

Paul O’Neill  20:09

My pleasure.

More From