IT Essentials: Making plans for sovereignty

Too many eggs in too few cloud baskets?

IT Essentials: Making plans for sovereignty

Image:
IT Essentials: Making plans for sovereignty

'No-one ever got fired for buying IBM,' the saying went. Choose the default and all will be fine.

In a similar vein, as a chemistry graduate in the 80s I was assured it was pretty much impossible to go wrong if you got in on the bottom rung at ICI.

And little earlier, in XTC's classic Making Plans for Nigel, poor Nigel, whose parents "only want what's best for him," was being frogmarched into a life of implied drudgery at British Steel.

Even if, against the odds, he had been "happy in his work" in heavy industry, Nigel wouldn't be there now. Because British Steel doesn't exist.

Likewise, had I heeded my careers advisor's words, I wouldn't be at ICI either, because that company, once a byword for corporate enormity, has also vanished.

IBM is still with us of course, but in a very different form. And you no longer get fired for not buying its services.

OK, so where's this going?

Well, when cloud first came on the scene, pretty much everyone was quick to see its promise for integration, standardisation and being able to access their data and applications anywhere in the world.

But there was a clear dividing line between what should go in the cloud, and what shouldn't - namely sensitive personal information, medical data, financial details and intellectual property. Over the years, though, as the security, reliability and coverage of cloud services have improved along with their convenience, that line became increasingly blurred.

Of course, new regulations like GDPR were a bit of a fly in the ointment, but cloud companies got around that through opening dedicated regions so that data would remain in the required jurisdictions. This process has deepened along with new regulations with the recent arrival of dedicated "sovereign clouds" for governments and related industries by AWS, Microsoft and Google.

Which is fine. In the main, cloud services (if pricey) are secure, efficient and available and more control over where data can go is to be welcomed. But we're still talking about Terabytes of highly sensitive data being uploaded from government departments, health services and businesses, mostly to two gigantic private companies (Microsoft and Amazon) based in one country.

Ofcom recently recommended a competition enquiry into the dominance of these two firms, but a broader issue is that the third, fourth and fifth-largest clouds are from the same country too. A nation whose politics in recent years have looked dangerously unstable, and whose laws permit it access to data hosted by those companies anywhere in the world without a by-your-leave from the counties concerned.

With this in mind, it has long seemed to me that too many eggs are being put into one rather unstable basket. The rule is now, effectively: No one ever got fired for using Azure, and that seems foolhardy. It might seem like AWS and Microsoft are an immovable mass, but you could have said the same about ICI and British Steel in the 80s too. Nothing lasts forever and change can come fast.

So, it was interesting this week to hear Roberto Cingolani, CEO of Italian aerospace giant Leonardo making plans for sovereignty, calling for state-controlled cloud services in Europe, saying: "A safe country needs a government cloud, at least for financial, health and defence data."

Related reading

Hybrid cloud is booming, but where are European providers?

OVHcloud boss: European cloud providers need to stand up to the US hyperscalers

We need alternatives to the US cloud now

Why CIOs need to think about data sovereignty as part of their digital strategy