One of the core selling points of the cloud — in theory — is that it offers a uniform approach to IT infrastructure. When using the cloud, CIOs don’t have to worry about where their servers are located, which software they’re running, or who is maintaining them. One cloud server is as good as another.
At least, that was once the case. Today, issues such as geopolitical turmoil, diverse regulations, and data localization pressures mean that cloud environments and regions are not always interchangeable.
This also means CIOs must increasingly find ways to manage fragmented or fractured clouds. Gone are the days when IT leaders could treat “the cloud” as a singular entity and deploy a simple set of governance and operational policies across it. Today’s CIOs must be more strategic by embracing practices like federated cloud architectures and sovereign cloud environments if they want to achieve the efficiency and efficacy of before.
The Fracturing of Cloud Environments
To fully understand the challenge, step back in time to the first decade of this century, when cloud computing was new and businesses were just starting to pivot from on-premises infrastructures to the cloud.
At the time, cloud environments were largely interchangeable from a governance, compliance, and security perspective. It didn’t really matter exactly which cloud data center hosted an organization’s workloads, or which jurisdiction the data center was located in. IT leaders had the luxury of choosing cloud platforms and regions based primarily on factors such as pricing and latency, without having to consider geopolitics or the global regulatory environment.
Fast forward to the present, however, and planning a cloud architecture — let alone evolving an existing cloud strategy in response to changing needs — has become much more complex. Several key factors must be weighed, including the following:
1. Geopolitical considerations
From a technical perspective, a cloud server based in one country is usually just as capable of meeting enterprise IT needs as one based in a different country. But geopolitically, one cloud server might better suit an organization than another.
Consider, for instance, a business that wants to host workloads in the Asia-Pacific region. The organization could choose a cloud data center based in mainland China or one in Taiwan, since major public clouds offer regions in both countries. From the perspective of latency and performance, there is unlikely to be a significant difference.
Politically, however, there are important distinctions to think about. If the business wants to maintain access to the Chinese market for its products, choosing a Taiwan-based data center may not be a good look. Moreover, traffic that originates in Taiwan may have difficulty penetrating China’s “Great Firewall.” On the other hand, selecting China-based cloud data centers presents its own complications, such as the fact that those owned by U.S. companies are operated by Chinese partners that may not be able to make the same security and data privacy guarantees as U.S. cloud providers.
2. Diverse regulations
A decade or two ago, the compliance landscape for cloud computing was relatively simple. Certain jurisdiction-specific laws, such as HIPAA, existed, but for the most part, the regulatory mandates a business needed to meet were typically the same, regardless of which cloud platform or region it chose.
That’s no longer true. During the past decade or so, a host of regulations have emerged that apply to specific jurisdictions, including the GDPR and California Public Records Act (CPRA). Regulations dealing with AI, which are just now coming online, are likely to add even more diversity as different states or countries introduce varying laws.
From a compliance perspective, this trend means businesses must carefully assess the implications of their cloud architectures. Technically, there is no big difference between a cloud data center located in northern California versus one in Oregon, for example. But from a regulatory perspective, there is: California maintains data privacy regulations (namely, those defined in the CPRA) that don’t apply in Oregon.
3. Data localization considerations
A related issue is the increasing pressure organizations face surrounding data localization, which refers to the practice of keeping data within a certain country or jurisdiction. Regulations require this in some cases. Even if they don’t, businesses may voluntarily choose to ensure data localization for the purposes of improving workload performance (by reducing the distance data needs to travel, which in turn reduces latency), or to assure customers that their data never leaves their home region.
Here again, the cloud architecture a business chooses has major implications for its ability to promise and achieve data localization.
Sovereign and Federated Clouds
One possible response to the challenges described above would be for global businesses to maintain totally isolated cloud environments in different regions. A company could operate one set of cloud workloads in the European Union, for example, while running a completely distinct cloud environment in the United States. That approach would help ensure that the organization could meet distinct political, regulatory and data sovereignty needs in each region.
The downside, of course, is that maintaining totally separate cloud environments adds enormous operational complexity and overhead for IT organizations. It’s also unlikely to be cost-efficient, since it will almost certainly involve more than a little redundancy and deprive the organization of the ability to benefit fully from economies of scale.
A more efficient approach is to integrate two key concepts into the organization’s cloud strategy: Sovereign clouds and federated clouds. Each of these has a unique role to play in helping to operate clouds efficiently, while simultaneously addressing the geographical complexities of the modern cloud:
-
Sovereign clouds are cloud environments designed to meet the regulatory requirements of a specific country or region. They keep data and processing local when necessary, while still offering the ability to integrate with external infrastructure.
-
Federated clouds connect disparate cloud environments together, enabling uniform security and compliance controls while still allowing a business to maintain distinct cloud presences.
Used in combination, sovereign clouds and federated clouds help to ensure that organizations can conform to region-specific requirements and considerations, while also keeping operations and governance streamlined. In other words, they provide the benefits of region-specific controls without the complexity of having to maintain multiple regional clouds in isolation from one another.
This is precisely the balance CIOs must strive for as they seek to reconcile cloud strategies with increasingly complex geopolitical and regulatory realities.
