The great guide to the “sovereign cloud”

Introduction

Companies are no longer willing to invest in their computer rooms. They let them go to put their applications and their virtual machines in the cloud, usually on AWS, Azure or Google. But this migration raises a question that, at first, was voluntarily ignored.

Once the data is hosted by an American company, along with their subsidiaries in Europe and even on French soil, it is subject to American law (including the famous Cloud Act, but not only) one of the characteristics if where being “extraterritorial”. In other words, Washington law applies to San Francisco as well as to Paris, Austin and Tokyo once a person (natural or legal) of American nationality is involved in one way or another. (support, maintenance, operational management, etc.).

An unfriendly right, because instrumentalized

However, this right to exemplary official purposes (fighting terrorism and crime) poses a problem. In fact, recent history has shown that it also has unofficial purposes and that the United States does not hesitate to take advantage of it for the purpose of economic warfare (pressure from the Department of Justice to force the sale of Alstom to GE for example), for the economy. intelligence purposes (industrial espionage) or for geopolitical purposes.

So the Minister of Economy and Finance himself, Bruno Le Maire, describes him as unfriendly and to the public and has repeatedly expressed France’s irritation at this situation.

American cloud between a rock and a hard place

American cloudists are caught between a rock and a difficult place. The anvil of the extraterritorial law of their country of origin, and the hammer of customers in Europe who are beginning to feel the risks and the real contradiction between this law (which requires cloudists to disclose data, moreover here without notifying the companies concerned) and the GDPR (which prohibits this transfer of personal data).

Until now, American IT actors have ensured that there are elements of language: freedom of the American judge (which is in fact quite relative), oversight of the procedure to keep it in the fight against crime (which is contradicted by the facts) , localization of data in Europe (which does not change anything, American law is extraterritorial), contract under French law (which allows the customer to launch a procedure that is certain to fail in a French court against the State of America), systematically resisting the requests of the publishers ’attorneys (without knowing the true validity of their objections, sincere in any case) or publishing information on the requests (often still vague and” after the truth “).

But in each case (including the record fine imposed on BNP Paribas), these “arguments” of a pure security law explode one by one. American law is a weapon of economic struggle, IT is one of its operational relays. The naivety of customers in Europe is starting to fade.

European burst (shy)

As a result, European politicians, as well as some industrialists want alternatives for their sensitive data: “sovereign” clouds. That is, infrastructures that are not subject to the intrusive law of a foreign power, even a friend.

A few years after the failures of Cloudwatt and Numergy, digital sovereignty is becoming fashionable again. On a European level, at the urging of the French and German governments, local hosts, ESNs, and publishers are trying to federate their service catalogs under the coat of arms of Gaia-X with, as a result, a promise of ecosystem interoperability. .

Because here’s what’s wrong with local alternatives to the clouds of American hyperscalers: the wealth of the offer.

Hosts of OVHcloud, Scaleway, T-Systems or 3DS Outscale are working hard to develop the same virtual machine services, online storage, with comparable prices, but they are having a hard time replicating the functional scope of their American models. . In infrastructure services, for example, all backup software vendors offer to host backup copies on the AWS S3 service. To benefit from such a function in OVHcloud, it is better to be a customer of Veeam, the leader, or Atempo, the French.

Too many sovereignty services are also not turnkey. If a simple click on an option is enough for a hyperscaler, you need to negotiate a contract with an integrator to customize the installation of a similar function. The costs can quickly no longer be the same.

Data Sovereignty Vs. Technological Sovereignty

The advantage of local players, on the other hand, is “immunity” to American law.

A “Cloud of trust” label – desired by the French government and announced during the launch of its new “Cloud at the center” doctrine – was even produced in 2021. It was awarded after obtaining SecNumCloud certification from ANSSI and securing that the cloud in question is subject only to European law.

But efforts to obtain such a label itself have a cost, which is passed on the customer’s invoice. Will European companies be willing to pay this “premium” for their sensitive data? Nothing is more certain.

As for hyperscalers, they do not intend to be expelled from the market of data, applications and critical sectors. They acted, and fast.

On the side, they have already reacted by offering to resell their services through a local player (such as Azure and Google, which have partnered with Orange and Thalès respectively up to France).

These solutions have the merit of responding both to the issue of sovereignty (data will be hosted on machines owned by service providers under French law with no liability in Washington) and to the need for ecosystem tool. All functions available in American clouds will be imported, at least at the time of their use. In any case, this is the promise: by the time we published this guide, Europeanized versions of American clouds were still far from being terrestrial.

On the face of it, hyperscalers have included Gaia-X, but former members like Scaleway have accused the project of slowing down to shift its emergence into operation and allow their own offers to adapt to the new regulatory agreement pointing on the cloud horizon.

Right or wrong ? It’s hard to say with certainty. What is certain, however, is that behind the scenes, an opposition between the two concepts of sovereignty is played out in the fight. On the one hand, those who promote legal sovereignty (“data sovereignty”) where the clouds use American technologies in a secure context. On the other hand, supporters of “technological sovereignty” calling for the development of industrial property and support for European publishers purpose independence technology.

To see clearly in sovereignty

Between the subtleties of American law, elements of language and controversies, new sovereignty offers (local and American), and offers that are only sovereign in its face, it’s not always easy to navigate.

At the crossroads of regulations, IT analysis and long-term strategy, this guide clarifies these gray areas so they can make smarter decisions.

Leave a Comment