Given that corporate IT relies heavily on cloud-based infrastructure and services delivered via the public cloud, access to the data held in the cloud is paramount.
Should all mission-critical data be held on-premise? What roles should digital sovereignty and digital residency play in a corporate IT strategy? These are among the questions being discussed at Forrester’s forthcoming Technology & Innovation Summit in London.
Imagine going to the gym or doing a run and being unable to access Spotify or Amazon Prime Music. “We have so many dependencies on foreign [IT providers], which entails a dependency on foreign jurisdictions,” warned Forrester senior analyst, Dario Maisto.
Computer Weekly spoke to Maisto ahead of his Digital sovereignty drives cloud choices in times of geopolitical volatility session.
In July, Reuters reported that Indian refinery Nayara Energy, which buys oil mainly from Russia, began legal proceedings against Microsoft, following European Union sanctions on the company.
According to Reuters, Microsoft Outlook and Teams services had been suspended.
Maisto said the fact there is a risk that a foreign government could impose restrictions on the use of such services is leading to IT leaders assessing how and when to use local service providers rather than foreign IT service providers. “Despite what some call the globalisation of IT, the balkanisation of IT means the future of certainty is global,” he said. “Certain vital applications that we use in Europe, like ERP [enterprise resource planning] and CRM [customer relationship management] do not even work outside of a hyperscaler’s cloud.”
Re-engineering
As Maisto notes, migrating an application from one cloud provider to another’s IT infrastructure can take years. “It is a re-engineering exercise,” he said. “Just moving an application like Workday from one hyperscaler to another can take up to two years. Can you imagine how long it would take to re-engineer the application to work on any cloud?”
Software as a service (SaaS) providers have developed their applications this way. “There is nothing that you as a client organisation can do,” said Maisto.
He said one of Forrester’s clients wanted to return to 100% on-premise IT to preserve its digital sovereignty posture, but ended up being 99.9% on-premise as it used ServiceNow. “You cannot deploy ServiceNow outside of a hyperscaling cloud, which means you have to open your IT infrastructure beyond on-premise and go to the cloud,” said Maisto.
On-premise and regulatory compliance
Many of the organisations Maisto has spoken to regard General Data Protection Regulation (GDPR) compliance as a reason for on-premise IT. However, he said: “We have solved that problem. You give the power of attorney to the hyperscaler then you’re fine with GDPR.”
The problem, according to Maisto, is not about remaining compliant with data protection regulations. Instead, he sees continued access to corporate data that resides in the public cloud as a bigger risk organisations face. “Can any foreign jurisdiction, any foreign government, any foreign provider outside of my jurisdiction, prevent access not only to their SaaS application and their infrastructure, but also to the data I store in that infrastructure?”
One of the concerns among IT leaders is whether data hosted in US hyperscaler clouds can be accessed by the US government’s Cloud Act. “People get concerned about the Cloud Act, but what they should be really concerned about is FISA article 702,” said Maisto.
The US government describes the Foreign Intelligence Surveillance Act (FISA) as “a critical intelligence collection authority that enables the Intelligence Community (IC) to collect, analyse and appropriately share foreign intelligence information about national security threats”. Section 702 authorises targeted intelligence collection of specific types of foreign intelligence information.
“Under the Cloud Act, you will get informed,” said Maisto. “But if the US National Security Agency has asked for your data under FISA 702, the hyperscaler cannot disclose this to you. They can only disclose the number of requests they received from the investigation agencies.”