Microsoft Cloud for Sovereignty: The most flexible and comprehensive solution for digital sovereignty

Security and cloud imagery

Governments and public sector customers around the world are looking to accelerate their digital transformation, creating opportunities for social and economic growth and enhancing citizen services. Today, I am excited to announce Microsoft Cloud for Sovereignty, a new solution that will enable public sector customers to build and digitally transform workloads in the Microsoft Cloud while meeting their compliance, security and policy requirements. Today, public sector customers can harness the full power of Microsoft Cloud, including broad platform capabilities, resiliency, agility and security. With the addition of Microsoft Cloud for Sovereignty, they will have greater control over their data and increased transparency to the operational and governance processes of the cloud.

Governments are obligated to meet specific requirements for varying data classifications including data governance, security controls, privacy of citizens, data residency, sovereign protections and compliant operations following legal regulations like the GDPR (General Data Protection Regulation). The Microsoft Cloud for Sovereignty — offering governance, security, transparency and sovereign technology — combined with strategic partners can support the digital transformation of government customers unlike any other cloud provider in the world.

Helping customers leverage the cloud while meeting their unique needs

Microsoft Cloud for Sovereignty is being built on the Microsoft public cloud to accelerate digital transformation while creating a customized experience adhering to government requirements. Government customers will have the power of the public cloud, addressing low cost, agility and scale expectations, with the full breadth of capabilities like modern developer services, agile infrastructure, secure DevOps, open-source platforms, modern collaboration and low-code development. Additionally, Microsoft Cloud for Sovereignty customers will continue benefiting from Microsoft’s global security signals, analyzing over 24 trillion signals every day to identify and help protect against local attacks.

Microsoft Cloud for Sovereignty chart

Data residency

The foundation of Microsoft Cloud for Sovereignty will start with our Azure regional datacenters. Today, with 60-plus cloud regions, the Microsoft Cloud delivers the broadest capabilities and innovation with data residency and proximity in more locations than any other cloud provider, enabling residency options for the entire Microsoft Cloud including Microsoft 365, Dynamics 365 and Azure. Enabled by our industry-leading policy controls, customers today can meet many regulatory requirements and implement policies to contain their data and applications within their preferred geographic boundary. Customers can specify the country or region for most service deployments with the ability to satisfy industry, national, or global security, privacy and compliance requirements.

Microsoft has the most comprehensive compliance coverage of any cloud service provider with 100-plus offerings including more than 50 which are specific to global regions and countries. Microsoft engages with governments, regulators, standards bodies and nongovernmental organizations to understand emerging requirements and ensure a fast and effective enablement of critical compliance needs.  Specifically in Europe, expanding on our data residency commitment, the forthcoming EU Data Boundary will ensure Microsoft not only stores but also processes customer data in the EU and European Free Trade Association.

Sovereign controls

With Microsoft Cloud for Sovereignty, we will deliver capabilities that will provide customers with additional layers to protect and encrypt sensitive data. These capabilities span the entire Microsoft Cloud from cloud infrastructure, platform services and Software as a Service (SaaS) offerings like Microsoft 365, Dynamics 365 and Power Platform. Customers can leverage Azure Confidential Computing, an innovative technology offering sovereign protection with Confidential Virtual Machines and Confidential Containers. Our unique offering utilizes specialized hardware to create isolated and encrypted memory called Trusted Execution Environments (or TEEs). Customer-owned encryption keys are confidentially and securely released directly from a Managed HSM (Hardware Security Module) into the TEEs executing on customer encrypted data. This secures customer keys, even while in-use, and ensures data is encrypted while at rest, in transit, and in use, helping protect data and keys against numerous security risks and operator access. Customers can benefit from this capability without having to change their application, creating an easy opportunity to leverage the power and scale of the public cloud while still ensuring their data is encrypted at all times. Confidential Compute capabilities extend into purpose-built platform services such as Azure SQL Always Encrypted with secure enclaves and Azure Confidential Ledger.

SaaS solutions like Double Key Encryption  allow users in Microsoft 365 to classify emails and documents as “sensitive,” encrypting the customer data using customer-provided keys to protect data from both security risks and operator access. Furthermore, the Customer Lockbox for Microsoft 365, Customer Lockbox for Microsoft Azure, Customer Lockbox for Power Platform, and the forthcoming Customer Lockbox for Dynamics 365, all ensure that Microsoft will only access customer data to execute service operations when given explicit customer approval.

For customer workloads that require additional proximity, physical/operator control and separation, Azure Arc extends our Azure cloud services, management and governance capabilities into an existing or new on-premises environment. With this, customers can already secure and govern infrastructure and apps anywhere, build cloud-native apps faster with familiar tools and services to run them and modernize their data estate for consistent cloud operations.

To simplify the complexity of the spectrum of data classification requirements, Microsoft Cloud for Sovereignty will include a Sovereign Landing Zone, a solution to simplify the architecture, deployment workflow and provide intelligent tools to orchestrate operations of our various security services and policy controls in a streamlined manner. The Sovereign Landing Zone is being built upon the enterprise scale Azure Landing Zone to recommend and enforce regulatory compliance using Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) capabilities built into Azure, which make deployments automatable, customizable, repeatable and consistent. This landing zone will also extend into Azure Information Protection (AIP), enabling policy and labeling for access control and protection on email and document data. This landing zone will be flexible enough to allow customers to define custom policies to meet specific industry and regulatory requirements. The landing zone will span the Microsoft public cloud, with tools to maintain data residency, deploy sovereign controls, protect data classification and extend into hybrid deployments, creating a single solution for all application needs.

Example of Sovereign workload spectrum

Governance and transparency

Microsoft Cloud for Sovereignty will increase cloud transparency by expanding the Microsoft Government Security Program (GSP) to critical elements of our cloud offering, starting with key Azure infrastructure components. The GSP provides participants with the confidential security information and resources they need to trust Microsoft’s products and services. GSP participants currently include over 45 countries and international organizations represented by more than 90 agencies. Eligible participants receive controlled access to source code, engage on technical content about Microsoft’s products and services, and have access to five globally distributed Transparency Centers. Microsoft Cloud for Sovereignty will also enable audit rights to examine Azure’s compliance processes and evidence under non-disclosure agreements and available audit terms.

Expertise

From the outset, Microsoft Cloud for Sovereignty is being designed as a partner-led and partner-first solution. In-country partners will play a pivotal role in enabling customer success and delivering on government requirements. Back in May, we shared a set of new European Cloud Principles to guide our business in Europe, which includes a focus on providing cloud offerings that meet European government sovereign needs in partnership with local trusted technology providers. This includes working closely with partners like Arvato, Capgemini, Minsait, Orange, SAP, Telefonica and many more, to deliver upon the unique sovereign requirements of each government. This approach of working with local partners to deliver on the needs of public sector organizations is a cornerstone of our approach with the Microsoft Cloud for Sovereignty.

Public sector customers worldwide are increasingly looking for customized cloud solutions that offer additional choice, flexibility and control. With the Microsoft Cloud for Sovereignty, customers will work with in-country partners that have industry and technical experience to help them plan, onboard, govern and operate their cloud environments with capabilities including data residency, confidential computing, document classification and hybrid deployments. Partners will also add value by working with customers to customize the Sovereign Landing Zone, assisting with the audit programs mentioned above, and providing extra readiness, support and transparency. We recognize that our public sector customers have valued relationships with local technology providers and that every country has unique needs. Microsoft Cloud for Sovereignty will offer the tools, the innovation, the processes and the transparency to put the power into the hands of knowledgeable and trusted partners that will support local governments on their digital transformation journey.

For example, in Italy we are working with Leonardo to build a solution that meets the national government’s data classification standards and supports the country’s digital transformation goals with public cloud-based solutions, controls, policy governance and hybrid management.

“Institutions and critical national infrastructures need the modeling, building and management of resilient-by-design Secure National Clouds able to guarantee data integrity, availability and protection in line with country-systems guidelines. Thanks to our extended research and innovation capabilities we can leverage the best from Microsoft Cloud with our capabilities in the cyberspace and in protecting national assets. Our long-term collaboration comes together in a solution that helps ensure the sovereignty of data while at the same time benefiting from the innovation of the public cloud.”

— Gennaro Faella, Senior Vice President Innovation, Leonardo

YouTube Video

Another example is the work we are doing with Proximus in Belgium, where we are collaborating to help meet the privacy and sovereignty challenges of companies and organizations in public and regulated sectors.

Together, Microsoft’s Azure hyperscale capabilities and Proximus’s hybrid capabilities have the ability to meet many of today’s sovereignty needs. Customers are able to use the most powerful public cloud capabilities while benefiting from the ultimate sovereign and privacy controls relying on our own Proximus infrastructure or the upcoming Microsoft datacenter region in Belgium.

This is building on technical innovations from Microsoft like Azure Confidential Computing, combined with the local anchoring and expertise of Proximus as a trusted cloud service provider. Proximus and Microsoft have a long existing partnership in place, and with today’s announcement will be able to further deliver safe, connected and secure solutions to our shared customers in Belgium, Luxembourg, and The Netherlands.”

— Guillaume Boutin, CEO Proximus Group

We are beginning the initial private preview of Microsoft Cloud for Sovereignty in select locations, and we will share further details over time. As we continue to roll out and expand our solution footprint across our datacenter regions, we look forward to working closely with partners throughout the world to help government customers digitally transform, leveraging today’s powerful capabilities of the Microsoft Cloud.

Tags: , ,