VMware Sovereign Cloud

Cloud repatriation is certainly one of the flaming trends in cloud infrastructure, it enables organizations to regain control of their data, data privacy and security laws, performance, and cloud spending. As we have are working with multiple cloud providers and customers, they are more concerned about their data security and residency. This is where the importance of Sovereign Cloud comes into picture.

‍

A Sovereign Cloud is a cloud computing architecture that’s designed and built to provide data access and security in compliance with local laws and regulations and these standards may vary depending on the where the server, services and the data are located. 

‍

Sovereign clouds are not a new concept, this is a hot topic due to geopolitical landscape and new regulations that affect control of data. The concept of a sovereign cloud is based on two main pillars one is data residency ensures that data stays in a specified geographical location, data sovereignty makes sure that data adheres to the regulations of the country where the public sector customer is, and their data is located.

‍

WHY SOVEREIGN CLOUD

We are living in a world of new technologies where data is more valuable than ever, and it is very important to protect that at any cost. Countries impose data regulations based on national security interests to protect citizens’ or company’s personal data. A sovereign cloud ensures all data including metadata stays on sovereign soil and prevents foreign access to data under all circumstances. It provides a trusted environment for storing and processing data that can never be transferred across borders and must remain under one jurisdiction. Below are some of the main pillars of a Sovereign Cloud. 

‍

Sovereignty – Power of a state to do necessary actions to ensure the authority of data.

Data residency – Storing data in specific geographical area for any business reason.

Data sovereignty – Idea that data are subject to the laws and governance structures of the nation where they are.

Jurisdiction – Data must be subject to jurisdictional control of the governmental bodies in the sovereign territory.

‍

KEY FEATURES

• Increase Security
• Implement industry recognized security controls in the cloud more quickly and effectively.
• Secure data and workloads against rapidly changing attack vectors
• Reduced Attack Surface
• Role-based/Attribute-based Controlled access and least privileges 
• Run time protection and patching.
• Maintain Compliance
• Achieve compliance significantly faster and more efficiently.
• Demonstrate compliance on an ongoing basis with monitoring and reporting, rather than every few months.
• Two data center locations
• Improve Control
• Ensure visibility and auditing of all cloud administration and activities.
• Prevent unauthorized or authorized access to data by foreign entities.
• Zero Trust Network
• Micro-Segmentation & Zero-trust security
• Third-Party Audit
• Data-at-Rest and Data-in-transit encryption
• Unlock Data
• Share and extend data with trusted nation states, companies, or clouds.
• Data Innovation and Analytics
• Leverage advanced services to enable data insights and ensure data integrity.
• Mobility
• Workload migration for cloud onboarding
• Workload failover/failback for disaster recovery
• Fuel Economic Innovation
• Develop a national and sovereign digital capability.
• Pool national data to unlock economic innovation and growth.
• Future Proof
• Avoid vendor lock-in
• Against changing regulations, security threats and geopolitics
• Modern application architecture 
• Enriched Cloud services.

VMWARE SOVEREIGN CLOUD

Nowadays most of the leading cloud providers like Azure, AWS, Google, Oracle, IBM, and VMware etc. offer sovereign cloud, that meets specific compliance and regulatory requirements of the customer workloads hosted in their respective cloud geography. In this article we will discuss more into VMware Sovereign Cloud architecture and compliance requirements.

‍

VMware introduce, VMware Sovereign Cloud framework that defines key characteristics to which a cloud can be assessed as sovereign and technical guidance, best practices, and principles for design and operational considerations that can meet security, compliance, and data sovereignty requirements for a specific jurisdiction. To protect customers’ information, VMware cloud providers must design and build their clouds with 4 VMware Sovereign Cloud framework principles. 

‍

To design and implement a VMware Sovereign Cloud Provider platform, Cloud Providers, Architects, and consultants must go through certain pre-requisites, guidelines, and compliances. Below are some of those and for more details it is recommended to refer the VMware Sovereign Cloud Technical Information and Resources.

‍

Data Centers – A VMware Sovereign Cloud requires at least two data centers located in the jurisdiction where the data is collected also these must be at least a Tier III or higher classification for 99.982% uptime.

‍

VMware Security Domains - All VMware Sovereign Clouds must include two security domains, Sovereign domain, and Resident domain. These domains encompass both management and workload domains in vSphere as well as all supporting infrastructure and management elements.

‍

Interoperability Stack – VMware provides a set of software components for Cloud Providers to implement a VMware Sovereign Cloud and Cloud Providers are free to choose and pick versions or different combinations of software bill of materials (BOM). 

‍

Authentication & Authorization – Role-based Access Control needs to be enabled for the authentication and authorization of the cloud provider stack. Authentication entities can be usernames and passwords with multi-factor authentication like 2-factor (2FA) most commonly. 

‍

Network Connectivity – Securing the network is very important within the datacenter where the sovereign and resident management and workload components are hosted and outside for any end-end application access. This includes security of Physical components like racks, servers, network devices and cabling etc. Firewalling components like Perimeter, Web Access Firewall, Edge, Distributed Firewalls and other zero-trust micro segmentation objects of provider and tenants. Network Isolation in resident domain which isolated from external world, and this can only communicate with cloud and on-prem sovereign domains. Encrypted Network Tunnels like IPSEC VPN from NSX-T or any third-party firewall and SSL-VPN from third-party vendors which support secure traffic between the environments. 

‍

Storage options – It is very important to have flexible and secure storage options. In the case of a VMware Sovereign Cloud, it is a requirement to be able to provide file, block, and object storage for both structured and unstructured data.

‍

Backup – Having proper backup strategy with solution hosted in local geographical jurisdiction is very crucial in such an environment also these solutions should be able to support virtual machine backup, application aware backup, immutable storage, and remote replication capabilities.

‍

Zero Trust Security – Zero-trust enforcement is a pre-requisite of Sovereign Cloud and in VMware Sovereign Cloud NSX-T will satisfy the requirement as it protects the data in transit, and it also provides for micro/macro segmentation also this ensure no workload and communicate each other without being explicitly allowed by a firewall rule. VMware Secure Access Service Edge and Carbon Black Endpoint Detection and Response can be explored for additional zero-trust security.

‍

Encryption – Cloud Providers should ensure the data-at-rest and data-in-transit encryption to secure data. Data-at-Rest encryption should be enabled wherever the data is stored like vSAN or any external storage and backup storages etc. 

‍

Catalog of Hardened and Trusted images – All images used to provision workload in Sovereign Cloud must be verified and approved. These images should be hardened and patched as per the compliance requirements and moreover continuous audit and monitoring should be enabled to verify if there is any drift in these configurations.

‍

Disaster Recovery – To recover the critical application quickly and reliably in the event of a disaster is an essential capability of a cloud hosting platform. Cloud Providers who offer Sovereign Cloud platform should be able to support cross-site protection, replication, failover, and failback services within the jurisdiction to achieve the business continuity goals. 

‍

Data Replication – Data replication is considerable in some cases like database, application, and containers persistent volume replication within the sites or across the sites in a sovereign cloud provider environment. Some of these can be achieved by replicating the storage volumes and some native replication solutions can be used which are supported by the application.

‍

Data Security & Compliance – Securing the environment and making sure those security controls follow Sovereign Cloud requirements is very important. Post deployments, the best practice would be to transfer security over to a dedicated team to augment and monitor the security posture because it requires constant focus, adjustment, and tuning to stay up to date on the ever-changing threat landscape. It is the responsibility of each security, compliance, and audit team in your organization to verify that configurations meet their compliance requirements. It is important to note that the VMware Sovereign Cloud security guidance is not enough on its own and each organization needs to assess their own risk posture and identify applicable controls using a series of supporting security architecture, technology, processes, and people to evaluate the environment.

‍

Data and Environment Auditing – The ability to provide continuous monitoring, auditing, and compliance reporting is very important in VMware Sovereign Cloud Platform.  This will ensure the effectiveness of the security measures implemented on the platform to customers.

Governance, Risk, and Compliance – This guidance describes the security configurations that can support Governance, Risk, and Compliance (GRC) considerations. Due to the variety of compliance standards and different organizational business needs, due care should be taken to identify and map VMware Sovereign Cloud configurations against a targeted regulation.

‍

Operationalization – After a VMware Sovereign Cloud has been designed, implemented, and configured. It is now time to operationalize it in such a way that your customers can make use of it in a way that is beneficial to them. In operation also there are multiple things to consider like provider and tenant engineers should have separate accounts for privileged and non-privileged operations with least privileges for the specific actions.

‍

HOW HUCO HELPS OUR CUSTOMERS TO ENABLE VMWARE SOVEREIGN CLOUD

As huco is involved and completed multiple cloud design and deployments projects, we can help customers to understand the requirements and design and deploy the cloud provider stack which can fulfill their VMware sovereign cloud compliance and regulatory requirements. 

‍

Identify the Cloud Provider Requirements → huco can help customers to identify the cloud provider business and technical requirements. 

Design and Deploy VMware Sovereign Cloud → Design and Deploy or Upgrade a VMware sovereign cloud environment which can support their tenants use cases.

Knowledge Transfer and Documentation → Document the design and deployment details in High-Level and Low-Level Design and provide knowledge transfer to customer’s technical team.

Support and Managed Services → With huco's iDOC (Remote Intelligent Digital Operation Center) offering, provide Day 2 operation and adoption support.

‍

Huco is a leading cloud native partner in METNA region and 1st partner EMEA to achieve all the 8 Master Services Competency (MSC) of VMware. Being a leading MSC partner of VMware, Huco has gained vast experience in implementing VMware products and acquired knowledge/skills/experience. Huco works closely with the VMware product team to help customers to achieve the requirements.

For more information on how Huco helped customers in enabling the VMware Sovereign Cloud Provider Stack, please reach out to us and post your inquiry/interest. Our VMware Experts are eager to help you in your journey towards accelerating your application by virtualizing GPUs.

‍