Governments and public sector customers around the world are looking to accelerate their digital transformation, creating opportunities for social and economic growth and enhancing citizen services. Last week, Microsoft announced Microsoft Cloud for Sovereignty, a new solution that will enable public sector customers to build and digitally transform workloads in the Microsoft Cloud while meeting their compliance, security and policy requirements. Public sector customers can now harness the full power of Microsoft Cloud, including broad platform capabilities, resiliency, agility and security. With the addition of Microsoft Cloud for Sovereignty, they will have greater control over their data and increased transparency to the operational and governance processes of the cloud.
Governments are obligated to meet specific requirements for varying data classifications including data governance, security controls, privacy of citizens, data residency, sovereign protections and compliant operations following legal regulations like the GDPR (General Data Protection Regulation). The Microsoft Cloud for Sovereignty — offering governance, security, transparency and sovereign technology — combined with strategic partners can support the digital transformation of government customers unlike any other cloud provider in the world.
Helping customers leverage the cloud while meeting their unique needs
Microsoft Cloud for Sovereignty is being built on the Microsoft public cloud to accelerate digital transformation while creating a customized experience adhering to government requirements. Government customers will have the power of the public cloud, addressing low cost, agility and scale expectations, with the full breadth of capabilities like modern developer services, agile infrastructure, secure DevOps, open-source platforms, modern collaboration and low-code development. Additionally, Microsoft Cloud for Sovereignty customers will continue benefiting from Microsoft’s global security signals, analyzing over 24 trillion signals every day to identify and help protect against local attacks.
Data residency
The foundation of Microsoft Cloud for Sovereignty will start with Microsoft Azure regional datacenters. Today, with 60-plus cloud regions, the Microsoft Cloud delivers the broadest capabilities and innovation with data residency and proximity in more locations than any other cloud provider, enabling residency options for the entire Microsoft Cloud including Microsoft 365, Dynamics 365 and Azure. Enabled by Microsoft’s industry-leading policy controls, customers today can meet many regulatory requirements and implement policies to contain their data and applications within their preferred geographic boundary. Customers can specify the country or region for most service deployments with the ability to satisfy industry, national, or global security, privacy and compliance requirements.
Microsoft has the most comprehensive compliance coverage of any cloud service provider with 100-plus offerings including more than 50 which are specific to global regions and countries. Microsoft engages with governments, regulators, standards bodies and nongovernmental organizations to understand emerging requirements and ensure a fast and effective enablement of critical compliance needs.
Sovereign controls
Microsoft Cloud for Sovereignty will deliver capabilities that will provide customers with additional layers to protect and encrypt sensitive data. These capabilities span the entire Microsoft Cloud from cloud infrastructure, platform services and Software as a Service (SaaS) offerings like Microsoft 365, Dynamics 365 and Power Platform. Customers can leverage Azure Confidential Computing, an innovative technology offering sovereign protection with Confidential Virtual Machines and Confidential Containers. Microsoft’s unique offering utilizes specialized hardware to create isolated and encrypted memory called Trusted Execution Environments (or TEEs). Customer-owned encryption keys are confidentially and securely released directly from a Managed HSM (Hardware Security Module) into the TEEs executing on customer encrypted data. This secures customer keys, even while in-use, and ensures data is encrypted while at rest, in transit, and in use, helping protect data and keys against numerous security risks and operator access. Customers can benefit from this capability without having to change their application, creating an easy opportunity to leverage the power and scale of the public cloud while still ensuring their data is encrypted at all times. Confidential Compute capabilities extend into purpose-built platform services such as Azure SQL Always Encrypted with secure enclaves and Azure Confidential Ledger.
SaaS solutions like Double Key Encryption allow users in Microsoft 365 to classify emails and documents as “sensitive,” encrypting the customer data using customer-provided keys to protect data from both security risks and operator access. Furthermore, the Customer Lockbox for Microsoft 365, Customer Lockbox for Microsoft Azure, Customer Lockbox for Power Platform, and the forthcoming Customer Lockbox for Dynamics 365, all ensure that Microsoft will only access customer data to execute service operations when given explicit customer approval.
For customer workloads that require additional proximity, physical/operator control and separation, Azure Arc extends our Azure cloud services, management and governance capabilities into an existing or new on-premises environment. With this, customers can already secure and govern infrastructure and apps anywhere, build cloud-native apps faster with familiar tools and services to run them and modernize their data estate for consistent cloud operations
To simplify the complexity of the spectrum of data classification requirements, Microsoft Cloud for Sovereignty will include a Sovereign Landing Zone, a solution to simplify the architecture, deployment workflow and provide intelligent tools to orchestrate operations of Microsoft’s various security services and policy controls in a streamlined manner. The Sovereign Landing Zone is being built upon the enterprise scale Azure Landing Zone to recommend and enforce regulatory compliance using Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) capabilities built into Azure, which make deployments automatable, customizable, repeatable and consistent. This landing zone will also extend into Azure Information Protection (AIP), enabling policy and labeling for access control and protection on email and document data. This landing zone will be flexible enough to allow customers to define custom policies to meet specific industry and regulatory requirements. The landing zone will span the Microsoft public cloud, with tools to maintain data residency, deploy sovereign controls, protect data classification and extend into hybrid deployments, creating a single solution for all application needs.
Governance and transparency
Microsoft Cloud for Sovereignty will increase cloud transparency by expanding the Microsoft Government Security Program (GSP) to critical elements of Microsoft’s cloud offering, starting with key Azure infrastructure components. The GSP provides participants with the confidential security information and resources they need to trust Microsoft’s products and services. GSP participants currently include over 45 countries, including the Philippines and international organizations represented by more than 90 agencies. Eligible participants receive controlled access to source code, engage on technical content about Microsoft’s products and services, and have access to five globally distributed Transparency Centers. Microsoft Cloud for Sovereignty will also enable audit rights to examine Azure’s compliance processes and evidence under non-disclosure agreements and available audit terms.
Expertise
From the outset, Microsoft Cloud for Sovereignty has been designed as a partner-led and partner-first solution. In-country partners will play a pivotal role in enabling customer success and delivering on government requirements.
Public sector customers worldwide are increasingly looking for customized cloud solutions that offer additional choice, flexibility and control. With the Microsoft Cloud for Sovereignty, customers will work with in-country partners that have industry and technical experience to help them plan, onboard, govern and operate their cloud environments with capabilities including data residency, confidential computing, document classification and hybrid deployments. Partners will also add value by working with customers to customize the Sovereign Landing Zone, assisting with the audit programs mentioned above, and providing extra readiness, support and transparency. Microsoft recognizes that public sector customers have valued relationships with local technology providers and that every country has unique needs. Microsoft Cloud for Sovereignty will offer the tools, the innovation, the processes and the transparency to put the power into the hands of knowledgeable and trusted partners that will support local governments on their digital transformation journey.
“We are beginning the initial private preview of Microsoft Cloud for Sovereignty in select locations, and we will share further details over time. As we continue to roll out and expand our solution footprint across our datacenter regions, we look forward to working closely with partners throughout the world to help government customers digitally transform, leveraging today’s powerful capabilities of the Microsoft Cloud,” said Corey Sanders, Corporate Vice President, Microsoft Cloud for Industry and Global Expansion.