Microsoft Cloud for Sovereignty capabilities
Adopting cloud computing while meeting digital sovereignty requirements is complex and can differ greatly between organizations, industries, and geographies. Microsoft Cloud for Sovereignty addresses the sovereignty needs of government organizations. Further, Microsoft Cloud for Sovereignty is customizable and adheres to evolving local policies and regulatory requirements around the handling of data. Governments need not choose between digital innovation and control over their data, and digital workloads. They can implement secure, consistent, and compliant environments and adhere to evolving local regulations while taking full advantage of the cloud.
The benefits and value of running your applications in the Azure public cloud are substantial and include scalability, elasticity, resiliency, compliance, agility, and unmatched cybersecurity. The article Why sovereignty in Microsoft Azure public cloud explains the benefits and value of running your applications in the Azure public cloud. With Microsoft Cloud for Sovereignty, you can meet digital sovereignty and compliance requirements and still gain the benefits of the public cloud. Cloud for Sovereignty aims to simplify, standardize, and improve confidence in the digital sovereignty of the public cloud by providing tools and guidance throughout the cloud implementation lifecycle for IT professionals, information security officers, and decision makers. Cloud for Sovereignty supports both green field scenarios, such as migration of on-premises workloads to the cloud, and brownfield implementations, such as aiming to improve the digital sovereignty and compliance of existing cloud workloads.
Microsoft Cloud for Sovereignty provides capabilities across different layers.
- Built on top of the Azure public cloud capabilities.
- Regulatory compliance and transparency into the cloud operator's activities.
- Sovereign guardrails through codified architecture, workload templates, localized Azure Policy Initiatives, tooling, and guidance.
- Advanced sovereign control services like Azure Confidential Computing and Azure Key Vault Managed HSM.
Sovereign control portfolio
With the sovereign control portfolio, customers can add extra protection over sensitive workloads to prevent operator access to their data and resources, providing them with more data sovereignty. The portfolio includes Azure Confidential Computing, customer-managed keys, Azure Managed HSMs, and other Azure services. The Encryption and Key Management and Confidential Computing sections have relevant links to more detailed information.
Sovereign guardrails and guidance
Microsoft Cloud for Sovereignty provides access to codified architectures, workload templates, and tooling to help create compliant environments that meet sovereignty, privacy, and regulatory requirements. Additionally, Cloud for Sovereignty reduces the complexity of cloud implementations by providing capabilities that make the process simpler, predictable, and repeatable by design.
Cloud for Sovereignty capabilities capitalizes on existing concepts and services such as Infrastructure-as-Code, Azure Policy, and Policy-as-Code. The capabilities are:
The Sovereign Landing Zone, a variant of the Azure landing zone opinionated towards digital sovereignty (data residency, confidential computing, and more customer control over data).
Workload templates that accelerate the deployment of Azure workloads that are compatible with the SLZ policies by design.
A policy portfolio including the Sovereignty Baseline policy initiatives and policy initiatives with their mappings specific to a given country/region.
Compliance and transparency
Governments require confidence in the security and privacy of their data and the ability to keep innovating while protecting that data. They must also be able to meet their legislative or regulatory obligations and have more insights into the cloud operator's activities.
Microsoft Cloud for Sovereignty builds on top of the compliance and transparency capabilities that Microsoft already provides. Eligible customers can also take advantage of increased transparency over – and into – their environment's operations with tools and programs such as source code review, access to technical data, and transparency reports.
For qualified customers and government agencies, Microsoft Cloud for Sovereignty provides More transparency into Microsoft activities through transparency logs. Additionally, eligible government agencies can take advantage of the Government Security Program.
Public cloud capabilities
The foundation of Microsoft Cloud for Sovereignty is Azure hyperscale public cloud that delivers innovation, scale, and security significantly beyond private or on-premises data centers. Additionally, with the Azure public cloud, customers can benefit from the global security signal that analyzes trillions of signals daily to protect against cyber-attacks while adhering to their regional requirements. For more information, read Why sovereignty in Microsoft Azure public cloud.
Plan, Implement and Monitor
Microsoft Cloud for Sovereignty provides tools and guidance for IT professionals and information security officers throughout the cloud implementation lifecycle. The remainder of this article presents capabilities in the context of three stages of an implementation lifecycle and references detailed articles on each of the articles.
- Plan: Plan your cloud migration.
- Implement: Implement a sovereign and compliant architecture.
- Monitor and audit: Monitor and audit your data and workloads to keep them secure.
Plan
Public Sector organizations that have strict sovereignty requirements must incorporate their sovereignty objectives into their planning efforts. This process ensures that strategic decisions about cloud adoption align with those sovereignty requirements.
Evaluating sovereignty requirements
Microsoft Cloud Adoption Framework for Azure is a full lifecycle framework that enables cloud architects, IT professionals, and business decision makers to achieve their cloud adoption goals. The framework provides best practices, documentation, and tools that help you create and implement business and technology strategies for the cloud.
You can read Evaluate sovereign requirements to understand how to evaluate, identify, and document sovereignty requirements, and review recommendations for where these requirements can fit into broader planning efforts associated with the Cloud Adoption Framework for Azure.
Geo-availability of Cloud for Sovereignty
A key part of planning is to understand and evaluate the regional availability of sovereignty-related services. The article International availability of Microsoft Cloud for Sovereignty provides an overview.
Data residency options and the EU Data Boundary
Data residency is a common regulatory requirement for public sector data. Data residency requirements can limit where different types of data can be stored and processed. Some regulations might also impose restrictions on where data can be transferred. Microsoft Cloud for Sovereignty enables you to configure Sovereign Landing Zones (SLZs) to restrict the services and regions that can be used and enforce service configuration to fulfill the data residency requirements. For more information, see Data residency.
In addition, the EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process customer data for major commercial enterprise online services including Azure, Dynamics 365, Power Platform, and Microsoft 365. The EU Data Boundary provides data residency commitments beyond what Microsoft Cloud for Sovereignty manages, particularly around the residency of data for nonregional Azure services. For more information, see EU Data Boundary.
Cloud for Sovereignty policy portfolio
The Sovereign policy portfolio includes the Sovereignty Baseline policy initiatives and policy initiatives designed to help meet region-specific compliance regulations. These policy initiatives help public sector customers in their efforts to adhere to various regulatory frameworks quickly. These policy initiatives are accompanied by associated control mappings and documentation. For more information, see policy portfolio.
Implement
During the implementation stage, public sector organizations can accelerate the definition and deployment of sovereign environments using Microsoft Cloud for Sovereignty tools and guidelines.
Sovereign Landing Zone
Sovereign Landing Zone (SLZ) is a variant of Azure Landing Zone (ALZ) that provides an enterprise-scale cloud infrastructure focused on operational control of data at rest, in transit, and in use. An SLZ aligns Azure capabilities such as service residency, customer-managed keys, private links, and confidential computing to create a cloud architecture where data and workloads default to encryption and protection from threats. You can deploy an SLZ with a single PowerShell command and a few parameters.
SLZ is available on GitHub. For more information, see Overview of the Sovereign Landing Zone.
Workload templates
Workload templates provide production-quality, reusable, secure, and compliant-by-design automated deployments for common workload types. A workload template focuses on the properly configured deployment of one or more Azure Services in a reusable manner. For more information, see Workload templates for Sovereign Landing Zone.
Encryption and key management
It's crucial to implement the right encryption and key management strategy for a secure and sovereign implementation. For more information, see this article.
Azure Confidential Computing
Microsoft Cloud for Sovereignty helps customers configure and protect their data and resources in ways that comply with their specific regulatory and sovereignty requirements. It includes ensuring that parties outside the customer's control, including Microsoft, can't access customer data. Along with Azure confidential computing (ACC), Microsoft Cloud for Sovereignty provides customers with visibility into and control over all access to their workloads. ACC enhances customer sovereignty by removing or reducing privileged data access for a cloud provider operator and other actors, including software such as the hypervisor. ACC helps protect data throughout its lifecycle in addition to existing solutions, which protect data at rest and in transit. For more information, see Azure Confidential Computing.
Monitor and Audit
In addition to the rich set of services that Microsoft Azure provides to monitor your workloads and keep them secure, such as Azure Monitor and Defender for Cloud, Microsoft Cloud for Sovereignty introduces new capabilities and services.
Transparency logs
To earn the trust of sovereign customers, Microsoft Cloud for Sovereignty provides extra logging and monitoring controls that increase the level of transparency in Microsoft personnel activities. As a result, customers have visibility beyond standard public cloud capabilities to help in audit and access control requirements.
Transparency logs are available on a limited basis and subject to customer eligibility requirements. Approved customers receive a monthly report for their tenant that summarizes instances where a Microsoft engineer or support agent is granted temporary access to the customer's Azure resources.
For more information, see transparency logs.
Government Security Program
The Government Security Program (GSP) is an existing Microsoft program designed to provide qualified government participants with the confidential information they need to trust Microsoft products and services. The program includes controlled access to source code, exchange of threat and vulnerability information, engagement on technical content about Microsoft products and services, and access to Transparency Centers. Microsoft Cloud for Sovereignty has expanded the GSP program to cover some Azure services. For more information, see Government Security Program.