Sovereign with a European Cloud

In this article you will read about,

• what constitutes sovereignty in IT,
• how T Cloud Public meets sovereignty requirements and
• how T Cloud Public permanently ensures a high level of security.

Sovereignty in information technology is a buzzword that has been experiencing a renaissance for some time. Aspects of sovereignty play an important role for initiatives such as Gaia-X or Catena-X. Last but not least, the topic also has a strong political component. European companies that want to position themselves for the digital future are increasingly incorporating sovereignty aspects into their decision-making. They are looking for long-term planning security and maximum independence.

The problem with sovereignty: Depending on the perspective and situation of the respective organization, sovereignty can be interpreted in many different ways. A uniform definition will not be agreed on in the foreseeable future. Sovereignty solutions must meet specific requirements in certain deployment scenarios (use cases) – and this does not always have to be a high-end sovereignty solution. All stakeholders agree that the dream of perfect sovereignty is not feasible in a digital world. To achieve this, companies would have to have complete control over all services, from the chip to the cloud service; an illusory claim in the world of the 21st century, which is based on the division of labor. In a pragmatic approach, sovereignty requirements are therefore often based on the criticality of the processes supported and the sensitivity of the processed data.

As a European cloud, T Cloud Public meets some basic European sovereignty requirements by design. It is hosted exclusively in European data centers (Germany, Netherlands, Switzerland) and is operated exclusively by personnel based in Europe. T-Systems or Deutsche Telekom as a German company is committed to the European legal framework. Access by non-European authorities is not possible.

For T Cloud Public, four technical and organizational components are relevant in the sovereignty discussion: Data sovereignty, operational sovereignty, technology sovereignty and sustainability.

• Data Sovereignty: 
  Data that customers store or process on T Cloud Public is not accessed, manipulated, deleted or copied by anyone (including T Cloud Public employees). T Cloud Public offers platform-specific encryption procedures, among other things, but also offers customers encryption or key management outside of the cloud platform – without access for any T Cloud Public staff. Confidential computing is also available, which allows data to be encrypted during processing.
• Operational Sovereignty:
  By operating T Cloud Public in the EU and by having only EU-based employees, we can guarantee that none of the legal frameworks specified by the EU/GDPR can be endangered or compromised.
• Technology Sovereignty: 
  T Cloud Public is based on OpenStack. The open source software is developed and updated by a broad community. The community approach and continuous testing of compliance with the community specifications ensure that no dependencies arise. Customers have the option of migrating workloads to other platforms (including their own in-house resources) at any time thanks to the open standard. Open source is an effective instrument for preventing vendor lock-in.
• Sustainability:
  From the perspective of T Cloud Public, the importance of sustainability as a criterion for sovereign clouds will grow rapidly. The requirements for "green IT", which will be accompanied by increasing reporting in the next few years, mean that customers will also have to measure the future security of their platforms against their carbon footprint. T Cloud Public is provided from highly efficient data centers powered by electricity from renewable sources. With its internal Green Magenta seal, Deutsche Telekom already reflects sustainability requirements that are increasingly being laid down in binding legislation.

A large number of certifications attest to the high security level of T Cloud Public. To maintain this high level, T Cloud Public undergoes a regular, rigorous privacy and security assessment. Security experts check all extensions to the cloud. Components are tested in test environments before being released to customers. This also includes regular security and penetration tests that continuously check the cloud for vulnerabilities, compliance and suspicious network communications from inside and outside. The Telekom Security Operation Center monitors log data for suspicious activity.

Open Telekom is broadly positioned with three twin-core high-security sites and a total of nine availability zones, ensuring the availability of services. Staff must undergo regular security checks. In addition, T Cloud Public relies on standardized x86 servers. A multi-vendor strategy ensures that new hardware components are always available to meet growing demand. OpenStack as an open cloud operating system allows code reviews at any time. T Cloud Public is certified by the OpenStack Foundation: All software components are regularly checked for security, functionality and compliance with OpenStack standards.

Sovereign or not? Everyone will draw their own conclusions. However, as a European cloud, T Cloud Public fulfills a large number of sovereignty requirements "by design". Many customers have already been convinced.