Trust in cloud security and sovereignty

What happens if the new US Government tears up the Cloud Act?   Experience shows that without any warning they aren’t shy about ripping up international agreements (trade or otherwise). There’s growing concern that we could wake up one morning to find that the Cloud Act and associated digital sovereignty frameworks are gone with one stroke of a pen.   This isn’t abstract fear-mongering. It’s a very real risk. Personally, I’d hate to be sitting in front of a Select Committee, or my CEO, explaining why we didn’t have a Plan B.   If these legal protections disappear, UK and EU organisations could become non-compliant overnight, just by continuing to store or process personal data in US-owned public cloud infrastructure. That includes M365, AWS, Azure, Google Workspace, Oracle, Salesforce, Dropbox, the list goes on.   All your data would be exposed to extraterritorial US surveillance or seizure, with no meaningful legal route to challenge it under UK or EU law. The EU–US Data Privacy Framework is already on shaky ground. If the US withdraws (again), UK firms relying solely on public cloud could be left stranded, with data protection regulators forced to respond.   So, what’s the low-risk path forward?   It’s hybrid cloud (on premise or hosted). But done properly and not a panicked knee jerk reaction, where the non-public cloud components are delivered and governed locally by you, or a UK-based provider under domestic law. Right workload, right place, right time... (and supporting UK businesses to grow and become future unicorns), growing our tax base and helping communities. This doesn’t just mindlessly tick compliance boxes. It also brings greater control, clearer governance, and a meaningful reduction in business risk.   In this climate, that’s not a nice-to-have… it’s beyond essential. Even if you disagree, its gotta be worth documenting why internally. Don't leave yourself exposed, it could be very career limiting.   Can I sell it to you? Nope, not my bag. But there are plenty of awesome local providers who deserve your attention that I can point you at.

🌍 The Shift in Europe: Moving Away from US Hyperscalers 🌩️ As geopolitical concerns, data sovereignty, and pricing instability grow, European companies are making bold moves in their cloud strategies—and the implications are massive. Over the past 15 years, reliance on public cloud giants like AWS, Microsoft, and Google has skyrocketed. But now, we’re seeing a strategic pivot unfolding across Europe, as organizations mitigate risks and embrace alternative solutions to protect their future. 🎯 Why the shift? ✅ Data Sovereignty: Stricter data protection laws like GDPR and fears over compliance with laws like the US CLOUD Act are driving demand for European-managed cloud solutions and sovereign cloud providers. Organizations are prioritizing control over their sensitive data and leaning into platforms that support their unique privacy needs. ✅ Security and Trust: Concerns over potential government interference, espionage, and vendor lock-in are making European businesses rethink their current reliance on US-based hyperscalers. The rising interest in diverse, multi-cloud strategies and locally governed services reflects the growing importance of trust in cloud decisions. ✅ Economic Predictability: Increasing costs from hyperscalers have raised concerns about long-term pricing stability. Enterprises are recognizing that forward-looking cloud strategies need to include providers that prioritize pricing transparency and tailored solutions. 🎯 What’s the result? A diverse and dynamic cloud ecosystem is emerging in Europe, leaning on open-source technologies, sovereign cloud providers, and tailored private cloud solutions. Platforms like OpenStack and others are paving the way for digital transformation without compromising on compliance or strategy. As businesses explore these new approaches, multi-cloud strategies, hybrid environments, and innovative pricing models are becoming essential for mitigating risks and staying competitive within an ever-evolving cloud landscape. 📢 This shift isn’t just about technology—it’s about geopolitics, trust, and long-term business resilience. Let’s embrace a future where diversity in cloud ecosystems fosters innovation, enhances security, and ensures sovereignty. What are your thoughts on this shift towards sovereign and multi-cloud solutions? 💭 Let’s discuss! #CloudComputing #DataSovereignty #SovereignCloud #MultiCloud #Geopolitics #Innovation

𝗧𝗵𝗲 𝗦𝗼𝘃𝗲𝗿𝗲𝗶𝗴𝗻𝘁𝘆 𝗗𝗶𝗰𝗵𝗼𝘁𝗼𝗺𝘆: 𝗪𝗵𝘆 𝗘𝘂𝗿𝗼𝗽𝗲 𝗙𝗲𝗮𝗿𝘀 𝘁𝗵𝗲 𝗨.𝗦. 𝗖𝗹𝗼𝘂𝗱 𝗔𝗰𝘁 -- 𝗪𝗵𝗶𝗹𝗲 𝗔𝗺𝗲𝗿𝗶𝗰𝗮 𝗜𝗴𝗻𝗼𝗿𝗲𝘀 𝗚𝗔𝗢’𝘀 𝗖𝗵𝗶𝗻𝗮 𝗪𝗮𝗿𝗻𝗶𝗻𝗴𝘀. In recent testimony before the French Senate, Microsoft’s legal director confirmed that EU citizen data stored in Europe cannot be guaranteed against access by U.S. authorities. ➤ That reality stems from the U.S. CLOUD Act, which compels American companies to comply with U.S. legal demands regardless of where data resides. The U.S. and the EU are close allies — and it’s no secret that both collect data on each other. While Europe’s concerns about sovereignty are recognized, there is a deeper vulnerability that often gets overlooked: foreign-based U.S. defense contractors with “ties to China” or “Chinese partners” still embedded in domestic defense systems, may pose a direct risk of data exposure to all Allies (GAO Bid Protest Decision No. B‑423175 (and related filings B‑423175.3/B‑423175.4). ⚠️ “𝗖𝗵𝗮𝘀𝗶𝗻𝗴 𝗿𝗮𝗯𝗯𝗶𝘁𝘀 𝘄𝗵𝗶𝗹𝗲 𝗺𝗶𝘀𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝘄𝗼𝗹𝗳.” This is not speculative. The Government Accountability Office (GAO)—one of Washington’s most non-partisan oversight bodies—documented these risks in its report GAO‑24‑106932, titled “Federal Contracting: Timely Actions Needed to Address Risks Posed by Consultants Working for China.” The GAO found that acquisition policies aren’t effectively directed to assess or mitigate risks from contractors tied to China—and these reports seldom reach a wider audience ➤That creates dual strategic vulnerabilities: ➤ Horizontal breaches → vendors spread across multiple defense programs. ➤Vertical breaches → these same vendors burrow deep into supply chains, lifecycle systems, and operational logistics. Meanwhile, unlike the Cloud Act—which operates under legal scrutiny—China’s reach is uncompromising. Under the National Intelligence Law (2017), all Chinese companies and citizens must comply with state intelligence requests. There are no allowances, no appeals, no sovereignty. As the 𝗟𝗶𝘁𝘁𝗹𝗲 𝗥𝗲𝗱 𝗕𝗼𝗼𝗸“ tradition emphasizes, loyalty flows only to the Party and the state. ⚠️ Here’s the stark dichotomy: ➤ Europe demands data sovereignty from U.S. companies—but the U.S. can’t legally guarantee it. ➤ The U.S. ignores GAO’s warnings about China-linked contractors within defense infrastructure. ➤ And every nation, regardless of geography, wants reassurance that its data and supply lines are secure. This isn’t merely about policy or compliance. It’s about strategic resilience. True sovereignty isn’t determined by where your servers are, but who ultimately controls the lines of access and influence. ✒ Linda Restrepo Editor-in-Chief | Inner Sanctum Vector N360™ Where global leaders get heard. Archived in the U.S. Library of Congress. #DataSovereignty #CyberSecurity #DefenseLogistics #CloudAct #NationalSecurity #SupplyChainRisk #HybridWarfare #GAO #ChinaPolicy #StrategicResilience #N360

🏛️ What experts knew, Microsoft finally admitted Microsoft France's legal director recently testified before the 🇫🇷 French Senate about data protection. When asked whether he could guarantee that French citizens' data would never be transferred to US authorities without explicit authorization, he replied: "No, I cannot guarantee that." Microsoft admitted what many of us have been saying for years: American companies follow American laws 🇺🇸 , no matter where they put their servers. - All those European data centers? - The local staff monitoring access? - The "sovereign" cloud services with EU-only promises? ❌ None of it matters when the Cloud Act comes into play. The technical director tried to soften the blow: "European customer data won't leave the EU." But the data doesn't need to leave - US authorities can access it remotely under US law. Amazon, Google, Oracle - every American cloud provider is bound by the same rules. They're all extensions of the US government when it matters. European governments have been paying billions for the illusion of sovereignty. Detailed compliance reports that mean nothing when geopolitics gets serious. The Cloud Act makes this crystal clear: US companies serve US interests first, no matter where they put their servers. #DigitalSovereignty #CloudAct #DataProtection #EuropeanCloud #TrustInTech #PrivacyByDesign

Digital Sovereignty Is Not a Destination. It’s a Design. Hyperscalers are reshaping the sovereign cloud conversation. With regional personnel controls, customer-managed keys, and compliance features branded as sovereign-ready, they’re gaining traction. But the underlying tension remains: the infrastructure may be local, yet the legal authority often isn’t. Foreign laws like the CLOUD Act still cast a long shadow over who ultimately controls access to the data. This creates a structural trust gap. At the same time, many nations are not yet ready economically, operationally, or technically to build and scale full sovereign clouds today. That’s a reality, not a failure. But sovereignty isn’t binary. It’s layered. It’s about retaining control even when you don’t yet control the hardware. SelectiveTRUST™️ from KnectIQ provides that dynamic, secure and flexible trust ecosystem. It gives sovereign nations the ability to assert jurisdictional control over cryptographic policy, access, and collaboration, even while data is temporarily housed in hyperscaler environments. With SelectiveTRUST, the trust boundary shifts to the edge, outside the cloud provider’s reach. This allows nations to: • Meet domestic data protection requirements, even when using foreign infrastructure • Establish sovereign trust boundaries at the cryptographic layer • Lay the groundwork for national clouds to be deployed on their terms, in their time, on their soil It’s not about choosing hyperscaler vs. national cloud. It’s about maintaining sovereign policy control while creating a clean glidepath to future national digitally sovereign infrastructure. Smart nations don’t let complexity stall progress. They take control now and scale sovereignty over time. That’s what SelectiveTRUST enables. ⸻ Michael McLaughlin Jarmo Sareva Gry Rabe Henriksen Stefan Lee Brendan Dowling Rachel Howard Paul Maley Christopher Pyne Chris Crozier (GAICD) Stephane Massonet Chris Nott Terry Halvorsen Dwight Shepherd, Rear Admiral (Ret) Stephen Davies Mihoko Matsubara Raymond van Veen Ursula von der Leyen @Luke O'Brien #DigitalSovereignty #ZeroTrust #SelectiveTRUST #SovereignCloud #CyberSecurity #StrategicAutonomy #CLOUDAct #HyperscalerAlignment #NationalSecurity #EdgeTrust

BREAKING: Microsoft just announced their grand plan to protect European data from "foreign interference." Sovereign datacenters in Germany and France. European personnel controlling access. Customer-controlled encryption. Sounds familiar? They tried this exact playbook in China. Microsoft partnered with local Chinese companies to run "sovereign" datacenters. Same promises. Same marketing. Same "your data stays local" narrative. Here's what actually happened: When the US government wanted access to one specific Chinese customer's data, Microsoft simply shut down the entire datacenter. The Chinese customer? Locked out of their own data. The "sovereign" protection? Worthless. Now they're selling Europeans the same story. "Data Guardian" will ensure only European personnel control access. "External Key Management" gives customers control. "National Partner Clouds" operated independently. All meaningless when push comes to shove. The fundamental problem remains: These datacenters are still connected to Microsoft's global infrastructure. There are no "internet walls" in the middle of the ocean blocking data access. If the US government decides they want access to European data, and Microsoft has to comply, all these "sovereign" protections become theater. Why this matters for your organization: This isn't about bashing Microsoft's technology. Their cloud services are excellent. But don't let marketing promises about "sovereignty" drive your infrastructure decisions. Make choices based on: Your actual compliance requirements Real data residency needs Operational control you can verify Contract terms that matter The lesson from China is clear: When geopolitics meets technology, sovereignty promises crumble fast.

Microsoft confirms: U.S. law overrides Canadian data sovereignty. Now what? The recent admission by Microsoft France that U.S. legal requests take precedence over EU (and by extension Canadian) law should be a wake-up call for Canada. Data residency is not data sovereignty. Hosting Canadian government, military, and citizen data on U.S.-based platforms means it remains subject to the CLOUD Act—no matter where the servers are located. This is not just a privacy issue; it’s a sovereignty issue. As the Government of Canada defines it: “Canada’s right to control access to and disclosure of its digital information subject only to Canadian laws.” When U.S. companies can hand over Canadian data without Canadian oversight, that right is compromised. The takeaway is clear: - Procurement is policy. Every contract signed with a foreign-owned cloud provider effectively cedes sovereignty. - Canada needs a sovereign AI and cloud stack. Without domestic alternatives, Canada will always be forced into dependency. - Urgency matters. With critical systems in defence, health, and infrastructure already tied to U.S. providers, the risk is not theoretical. At Canada’s AI Sovereignty & Innovation Cluster (CAISIC), our mission is to ensure Canada has the capacity to build, govern, and trust its own AI and digital infrastructure. Microsoft’s testimony only confirms the urgency of this work. The question is no longer if Canada needs sovereign cloud and AI infrastructure, but how fast we can get it built. #AISovereignty #DigitalSovereignty #Canada Source: https://lnkd.in/gjXg4TbD

Europe is at a tipping point in cloud sovereignty. 72% of businesses now list data control as a top priority—but over 70% still rely on US hyperscalers, raising compliance and security flags under laws like the CLOUD Act. European providers are stepping up, not just with local storage but with full operational autonomy. Sovereignty isn’t just about keeping data in-region—it’s about choosing who governs it. Navigating this evolving landscape demands vendor-neutral insight, deep hybrid cloud strategy, and a commitment to operational independence.

Your data might be physically in another country, but it isn't in that country. If it's with an American company, it's in America. Microsoft's recent confirmation that U.S. law takes precedence over Canadian data sovereignty isn't just a tech issue, it's a privacy nightmare. We've been told our data is "safe" in the cloud, but the reality is more complicated. The CLOUD Act means a valid U.S. legal request can pull your information, no matter where it's stored. Relying solely on foreign cloud providers puts a company's data autonomy at risk. The real play here isn't just about security; it's about control. And right now, many of us have less than we think. Microsoft's precedent here sets us on a slippery slope. #DataSovereignty #CloudComputing #TechPolicy #Privacy #CLOUDAct

Would you live in a home where someone else holds the keys?   That’s the essence of data sovereignty: ensuring that your most valuable information: such as customer records, IP, and financials, remains under your legal, operational, and strategic control.   It’s like making sure the keys to your digital home stay in your hands.   AI thrives on data. It feeds algorithms, shapes outcomes, and influences real-world actions. But when that data is stored in environments governed by external jurisdictions, you risk losing visibility, agility, and trust.   The goal isn’t to avoid the cloud, but to use it with sovereignty in mind.   In our daily work, we support CIOs and organizations in building infrastructure and data strategies that are local, trusted, and aligned with company’s values and regulations.   🔐 Data sovereignty means knowing who's at the door and who holds the key.   That’s how CIOs can secure the foundation and give leadership the clarity and control needed to make data - and AI-driven decisions, securely.   #DataSovereignty #AI #Leadership #iwork4dell