Given that corporate IT relies heavily on cloud-based infrastructure and services delivered via the public cloud, access to the data held in the cloud is paramount.
Should all mission-critical data be held on-premise? What roles should digital sovereignty and digital residency play in a corporate IT strategy? These are among the questions being discussed at Forrester’s forthcoming Technology & Innovation Summit in London.
Imagine going to the gym or doing a run and being unable to access Spotify or Amazon Prime Music. “We have so many dependencies on foreign [IT providers], which entails a dependency on foreign jurisdictions,” warned Forrester senior analyst, Dario Maisto.
In July, Reuters reported that Indian refinery Nayara Energy, which buys oil mainly from Russia, began legal proceedings against Microsoft, following European Union sanctions on the company.
According to Reuters, Microsoft Outlook and Teams services had been suspended.
Maisto said the fact there is a risk that a foreign government could impose restrictions on the use of such services is leading to IT leaders assessing how and when to use local service providers rather than foreign IT service providers. “Despite what some call the globalisation of IT, the balkanisation of IT means the future of certainty is global,” he said. “Certain vital applications that we use in Europe, like ERP [enterprise resource planning] and CRM [customer relationship management] do not even work outside of a hyperscaler’s cloud.”
Re-engineering
As Maisto notes, migrating an application from one cloud provider to another’s IT infrastructure can take years. “It is a re-engineering exercise,” he said. “Just moving an application like Workday from one hyperscaler to another can take up to two years. Can you imagine how long it would take to re-engineer the application to work on any cloud?”
Software as a service (SaaS) providers have developed their applications this way. “There is nothing that you as a client organisation can do,” said Maisto.
He said one of Forrester’s clients wanted to return to 100% on-premise IT to preserve its digital sovereignty posture, but ended up being 99.9% on-premise as it used ServiceNow. “You cannot deploy ServiceNow outside of a hyperscaling cloud, which means you have to open your IT infrastructure beyond on-premise and go to the cloud,” said Maisto.
On-premise and regulatory compliance
Many of the organisations Maisto has spoken to regard General Data Protection Regulation (GDPR) compliance as a reason for on-premise IT. However, he said: “We have solved that problem. You give the power of attorney to the hyperscaler then you’re fine with GDPR.”
The problem, according to Maisto, is not about remaining compliant with data protection regulations. Instead, he sees continued access to corporate data that resides in the public cloud as a bigger risk organisations face. “Can any foreign jurisdiction, any foreign government, any foreign provider outside of my jurisdiction, prevent access not only to their SaaS application and their infrastructure, but also to the data I store in that infrastructure?”
One of the concerns among IT leaders is whether data hosted in US hyperscaler clouds can be accessed by the US government’s Cloud Act. “People get concerned about the Cloud Act, but what they should be really concerned about is FISA article 702,” said Maisto.
The US government describes the Foreign Intelligence Surveillance Act (FISA) as “a critical intelligence collection authority that enables the Intelligence Community (IC) to collect, analyse and appropriately share foreign intelligence information about national security threats”. Section 702 authorises targeted intelligence collection of specific types of foreign intelligence information.
“Under the Cloud Act, you will get informed,” said Maisto. “But if the US National Security Agency has asked for your data under FISA 702, the hyperscaler cannot disclose this to you. They can only disclose the number of requests they received from the investigation agencies.”
While the likes of Amazon Web Services, Google and Microsoft are able to fight in court to prevent disclosure of customer data under the Cloud Act, Maisto warned that FISA article 702 gives the US administration access to the data, without a court order.
Another query Forrester often fields concerns data residency. “Data residency is something that hyperscalers cannot guarantee,” he said. “They cannot guarantee that the data does not move because their cloud environments are not engineered to grant that level of isolation and separation between customer environments.”
Maisto argues that IT leaders should be less concerned about data residency. Instead, IT leaders need to consider how they can secure continued access to data. “In 2022, when Russia invaded Ukraine, the private Bank of Ukraine moved from on-premise to the public cloud,” he said. “Microsoft helped the Ukrainian government to move from on-premise to a distributed cloud.”
According to Maisto, this is data sovereignty turned on its head. “You would associate sovereignty with local sovereignty, where data remains in the nation with local providers,” he said. “But actually, if you are in a conflict scenario, your best option for sovereignty is a globally distributed, highly replicated, highly, highly robust public cloud infrastructure.”
Maisto noted that truly sovereign cloud IT infrastructure is several years away. IT leaders asking for data sovereignty capabilities can expect to pay 15% to 30% more than normal public cloud contracts. Often, he said, data sovereignty is not required. “Most of the time, there is no actual requirement for data sovereignty,” said Maisto. “There is no GDPR for data sovereignty,” he said.
The Forrester Technology & Innovation Summit EMEA is taking place on 8–10 October in London.