CxO Decision Brief: Delivering on Sovereign Cloud

1. Solution Value

Organizations trading in multiple international markets are becoming increasingly challenged by the dilemma of data sovereignty. Even as data is stored and processed across multiple cloud providers, it remains subject to national and regional laws, some specifying that data must reside in-country. While this manifests particularly in the European Union, it does not and will not stop there, particularly as trends like Artificial Intelligence (AI) accelerate the economic value of data.

Governments worldwide have promoted data sovereignty as a response to the perceived downsides of globalization. We see a trend toward sovereign cloud, encompassing infrastructure and operational capabilities running across multiple cloud providers as well as hosted services and on-premise data architectures – that is, multicloud. For companies operating internationally, sovereign cloud can be a critical step toward more mature adoption of cloud-based technologies.

A multicloud-centric approach to data sovereignty offers a solution for secure, responsible, and compliant data storage and management wherever it resides. This enables enterprises to consider local laws, regulations, and policies as they deliver on their cloud and on-premises technology strategies. Such an approach, while creating opportunities for enterprises, requires strategies and partnerships with technology solution providers.

In light of Broadcom’s proposed acquisition of VMware, we consider VMware’s sovereign cloud platform and Broadcom’s capabilities across security, modernization, and management. While no single set of offerings can cover an organization’s multicloud sovereignty requirements 100% (as they exist across SaaS applications, data management, and so on), we review each organization’s benefits and thus consider the potential of a combined Broadcom/VMware solution.

Overall, we can see that both Broadcom’s operational and security software portfolio, together with VMware’s Cloud Platform initiative, tools, and Sovereign Cloud Service Provider Partnerships, can enable enterprises to respond to their data sovereignty needs and embrace opportunities such as AI to derive greater business value from their data assets.

2. Urgency and Risk

The urgency around data sovereignty is apparent to the organizations we speak to. It is a gateway to doing business internationally and addressing the increasing headaches and overheads of managing data according to local regulations. These overheads will increase over time and become more challenging to solve as the level of international legislation grows in breadth and complexity.

We also stress the urgency of considering sovereign cloud as a horizontal solution. While hyperscalers offer their own interpretations of sovereign cloud solutions, organizations must think about how they deliver cloud sovereignty coherently across a multicloud environment.

Specific verticals are those in more regulated industries such as healthcare, those dependent on supply chains such as manufacturing, and those dealing with an international customer base, such as finance.

Risk

Sovereign cloud enables flexibility and choice for organizations to architect for current/future legislation and multicloud capabilities. Risks largely concern how organizations deliver on these goals, including:

Completeness – organizations must manage data and policies and report coherently across multiple public clouds and internal data centers.
Refactoring – existing systems and services should sometimes be updated to address sovereignty issues. We advise a risk-management approach to re-architecting applications.
Complexity – technical teams may be swamped by an organization’s data assets. In response, they should triage data according to business priority and sovereignty risk.
Change – data sovereignty is a hot topic and still unfolding in terms of its impact. However, the basic premise of sovereign cloud is clear, enabling organizations to architect for the futur

3. Benefits

Multiple benefits emerge from adopting sovereign cloud principles and from working with solution partners such as Broadcom and VMware. First, a sovereign-first, multicloud infrastructure allows classified data (such as Secret & Restricted) to be stored on a local sovereign cloud, while storing workloads of lower classification (such as Protected or Public) in public clouds.

From a business perspective, benefits include enabling organizations to compete better in international markets, respond to compliance needs, and better serve local stakeholder groups such as customers and partners. Sovereign cloud also increases resilience against jurisdictional (over-)reach, allowing pushback against information requests from other countries.

Additional benefits come from the fact that data sovereignty needs to be treated strategically, which we cover below. Better overall management of data cuts costs and risks, including security, and reduces friction of data movement, for example, between on-premises systems and the cloud. In addition, creating a sovereign-oriented data architecture serves as a basis for innovation, enabling country-specific application features, locally measurable customer experience improvements, or localized environmental, sustainability, and governance (ESG) reporting.

Specifically, Broadcom’s portfolio offers enterprise software across modernization, operational management, development tooling, and security/data protection. The company is platform-agnostic and brings a horizontal approach to operations, security, and governance across all platforms and providers. It is therefore suited to enterprise hybrid IT environments, including multicloud architectures.

VMware brings the platform element. At a high level, it brings significant infrastructure capability, which is platform-agnostic; it also offers solutions to establish guardrails for classified data and enables the development, deployment, and migration of locally managed infrastructure to meet sovereignty goals. The company works with local integrators and other channel partners to deliver its services, keeping them in-country.

The platform independence of both Broadcom and VMware offerings plays well to the needs of data sovereignty, as data and services can be managed wherever they reside. The alternative is to manage data and services from each cloud provider and local data center individually, with resulting overheads and risks of managing multiple environments without the innovation gains of a centrally defined and managed architecture.

Solutions from Broadcom and VMware enable customers to manage data across cloud and on-premises infrastructure, reducing the risks and operational overheads of sovereignty. Broadcom’s broader enterprise partnership and research-led approach allows the company to work with its customer organizations to deliver on their sovereignty goals.

4. Best Practices

Tackling data sovereignty in a multicloud environment is an enterprise-scale task. It needs to be approached from the top down, starting with a strategic review of:

Business needs – what are the overriding goals?
Geographic reality – what countries or jurisdictions are relevant?
Data architecture – where is the applicable data stored and what is its classification?

Such a review should deliver strategic priorities and outline discrepancies and risks to drive a cloud sovereignty strategy. For example, the review may determine that data in a particular country is exposed to risk due to local legislation or, indeed, that another locality doesn’t need to be prioritized as the data footprint is low.

This starting point offers a basis for the Plan, Test, Deploy section below across both architectural assessment and operational planning.

5. Organizational Impact

Given that the basis of data sovereignty is legislative, it becomes unavoidable. One way or another, organizations must comply if they wish to trade or deliver services. From an organizational standpoint, a data sovereignty function may be needed that understands how to take legislation into account. This could include enterprise architects, compliance, security, risk management specialists, and operational expertise.

Data sovereignty will impact technology supplier and channel relationships, as legislation may stipulate working with in-country partners. Organizations should consider how they address needs in localities where a provider does not have a presence (or can support at an increased cost).

In addition, sovereign cloud deployment must be aligned with other strategic initiatives such as application modernization, environmental, sustainability, and governance (ESG) reporting, and cloud cost management.

People Impact

Sovereignty and its consequences on systems and data affect everybody in the organization, particularly those in a global role. People impact largely falls on technology teams in terms of how they architect, deploy, and operate data-related systems and services in a multicloud environment.

While no new technical skills are needed, the change comes from how and when data sovereignty is taken into account (i.e., up-front and across the application delivery cycle) and where those skills are available (e.g., in-country).

Investment Outlook

Putting a ticket price on data sovereignty is difficult, as it should be considered a horizontal part of a multicloud IT strategy. However, costs for definition and deployment of sovereign cloud can be considered in three parts:

The strategic review, with associated consulting
Data and application modernization and migration
Organizational improvement and change management

Each of the latter areas is open-ended; there will always be more to do, so we advise fixing budgets after completion of the strategic review based on actual rather than speculative needs.

6. Solution Timeline

Given its strategic nature and the complexity of what it touches, data sovereignty should be assessed on a one- to three-year timescale covering strategic review and architecture-led definition, then rolled out of modernization and migration projects. We cover this below.

Plan, Test, Deploy

Broadcom and VMware can support organizations on their journey to a sovereign multicloud across strategic review, planning, and enactment:

Plan: This is the strategic review we have discussed, together with creating a sovereign cloud strategy. While this stage is vendor-agnostic in terms of technology, an organization can work directly with Broadcom and VMware, together with their partner organizations, to assess existing needs and priorities. We envisage this process taking 2-3 months, resulting in a report to the board.

Test: At this stage, the organization can map out its existing and required sovereign cloud architecture against existing systems, services, and cloud providers. In general terms, this can incorporate VMware platform functionality and Broadcom’s operational and security management capabilities.

Deploy: This is best considered as a series of interrelated yet discrete projects which include:

Deployment of suitable infrastructure and platforms to support the planned sovereign cloud architecture.
Repartitioning data stores to separate data that needs to be kept in-country.
Extending existing applications to incorporate data sovereignty features, such as data classification and controls.
Where necessary, workload migration to more suitable locales within the architecture.
Bolstering operational platforms, automation, and compliance reporting practices to support more geographically dispersed applications, services, and data.
Revising data governance practices to take into account data growth and the need to secure, manage, and leverage data as it moves between jurisdictions.
Updating supplier management practices and organization to work with local partners.

As discussed, delivering on the strategy requires a change management approach with the usual elements of communication and engagement. Deployment specifics will help determine what, if any, extensions to the skills mix are necessary (for example, having local security professionals or technical expertise in place).

Future Considerations

Sovereign cloud solutions do not stand still across infrastructure, data architecture, and policy management. Technology leadership should regularly review existing features and roadmaps as well as functionality within hyperscaler platforms, as cloud-agnostic software stacks, or as third-party capabilities. This information can be collated and used as part of supplier review activity.

Leaders will also need to keep tabs on applicable legislation for priority geographies.

7. Analyst’s Take

Data sovereignty isn’t a challenge that can be solved overnight, nor is there any single solution to address it. Nonetheless, its response–sovereign cloud–is more than an aspiration; it is a (quickly becoming de facto) technical blueprint that can be defined, designed, and built to. The most urgent imperative, therefore, is to instigate a strategic review of data sovereignty needs and thus define the shape of sovereign cloud for the organization.

In this brief, we considered whether the combined strengths of Broadcom and VMware could offer a response to data sovereignty needs. The answer is yes, in that the companies are cloud agnostic and, in combination, provide both an infrastructure platform and operational capabilities which can be used to deliver sovereign cloud in the multicloud architecture.

Organizations must partner with strategic vendors that directly embrace sovereignty needs, and Broadcom/VMware offer corresponding portfolios. In a multicloud world, this can be one of the several partnerships enterprises choose to deliver on their sovereign cloud architecture goals.

It is not a coincidence that we close this brief by considering the importance of partnerships. Ultimately, for international companies, sovereign cloud is all about working with global organizations that can respond to local needs–this principle applies both to enterprises and the solution vendors with whom they work.

8. Report Methodology

This GigaOm CxO Decision Brief analyzes a specific technology and related solution to provide executive decision-makers with the information they need to drive successful IT strategies that align with the business. The report is focused on large impact zones that are often overlooked in technical research, yielding enhanced insight and mitigating risk. We work closely with vendors to identify the value and benefits of specific solutions, and to lay out best practices that enable organizations to drive a successful decision process.

9. About Jon Collins

Jon Collins has nearly 35 years of experience in IT. He has worked as an industry analyst for a number of years and has advised some of the world’s largest technology companies, including Cisco, EMC, IBM, and Microsoft in product and go-to-market strategy. He has acted as an agile software consultant to a variety of enterprise organizations, advised government departments on IT security and network management, led the development of a mobile healthcare app, and successfully managed a rapidly expanding enterprise IT environment. Jon is frequently called on to offer direct and practical advice to support IT and digital transformation initiatives, has served on the editorial board for the BearingPoint Institute thought leadership program, and is currently a columnist for IDG Connect.

Jon wrote the British Computer Society’s handbook for security architects and co-authored The Technology Garden, a book offering CIOs clear advice on the principles of sustainable IT delivery.

10. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.