If data is stored in the cloud, it is often unclear exactly where it is located – storage space, processor power and application software are often distributed somewhere over several servers, possibly even at different locations around the world. And since the revelations of Edward Snowden, it has become clear that American intelligence agencies monitor the Internet with great effort.
In the face of data protection concerns, more and more American providers are changing their business – and want to set clear limits on data storage. After Microsoft and Google, Oracle announced a “sovereign” cloud offer on Monday. This includes a separate infrastructure within the European Union (EU), which should be operated exclusively by EU citizens.
For customers, digital sovereignty has become a central prerequisite for cloud use in recent years, Oracle manager Regis Louis told Handelsblatt. In the EU, there are high requirements due to the regulation – therefore, the group has developed a special offer for the region. The launch is scheduled for 2023.
“Cloud providers recognize that customers and regulators in some industries are imposing stricter requirements for handling data,” Paul McKay, an analyst at Forrester, told Handelsblatt. This applies to the public sector, the healthcare sector and the financial services industry, but also to many German mechanical engineering companies.
Oracle has to react to this, which is far behind AWS and Microsoft in terms of IT infrastructure from the cloud with a market share of around two percent. In some segments, digital sovereignty is an important factor, Louis said, for example in the public sector or highly regulated industries – the new offer has “a direct impact on business”.
What can the intelligence services see?
The use of cloud services has increased significantly in recent years, but concerns about data security and data protection still exist today. In the cloud monitor from Bitkom and KPMG, for example, 70 percent of the companies surveyed explain that a data center is indispensable in the legal field of the EU.
Even if Microsoft, Google or AWS store the data in European data centers, they are not necessarily secure from the point of view of experts. With the Cloud Act, which has been in force since 2018, US authorities can demand the release of information that IT providers store abroad. In view of the findings of the Snowden revelations, the European Court of Justice invalidated important legal bases for the transfer of data from Europe to the USA with the Schrems judgments.
The EU Commission is currently negotiating an agreement with the US government to put the exchange of data between the two economic areas on a new legal basis. However, many companies do not want to wait for this – uncertainty is bad for business.
For example, AWS and Microsoft have introduced terms and conditions that are intended to limit the transfer of data to the USA as much as possible – the Windows group, for example, even promises a “data limit”. New technologies should also increase the level of protection, for example through encryption.
In addition, the companies develop fiduciary concepts. Customers have been able to have Google’s cloud solutions operated by T-Systems since the spring, and AWS is also planning a cooperation with the Telekom subsidiary. SAP and Arvato, in turn, have founded the Delos joint venture to offer Microsoft’s cloud solutions to the public administration.
What exactly does sovereign mean?
Oracle wants to set up its own company for operation and maintenance, in which only EU citizens should work. This construction ensures compliance with EU rules, Louis explained. However, the unit is to be part of the Group and thus dependent on the management in Austin, Texas.
This raises questions – for example, how Oracle wants to prevent access by US authorities via the Cloud Act. Louis pointed to additional guidelines that are intended to create a framework to ensure customers have control over the data and operations. The company will release details later.
As a result, it is unclear whether Oracle meets the requirements of the Federal Office for Information Security (BSI), which checks cloud services before using them in federal authorities and ministries. These stipulate that clients can operate the systems “independently, irrevocably and thus sovereignly” from the provider.
The construction of a separate infrastructure is associated with significant costs. Oracle MANAGER Louis did not quantify the investments, but stressed that it was necessary to set up new data centers and hire additional staff. The economies of scale promised by the computing factories of the cloud do not materialize.
Oracle still wants to avoid higher prices, the services should cost the same as in the existing cloud data centers. The product range should also be the same size. The goal is to achieve “significant differentiation,” Louis said. In other words, the company wants to stand out from the competition.
This is also necessary. IT infrastructure from the cloud is a growth business, the market researcher Synergy Research recorded an increase of 37 percent to almost $ 53 billion in the first quarter. However, the market is focused on the big three, AWS, Microsoft and Google, if you leave China out, analyst John Dinsdale explained. Competitors must therefore differentiate themselves.
However, in view of the many announcements, companies can easily lose track. Forrester analyst McKay advises to carefully review the concepts. “Frankly, some of the promises are not worth the paper they are written on.“
Companies should therefore gain clarity about which applications require a special level of protection at all – and what price they are willing to pay for it.