Trust in cloud security and sovereignty

What a surprise for the EU 😱 😉 A recently published expert opinion commissioned by the German Federal Ministry of the Interior has sparked a pivotal discussion on data governance and sovereignty. According to the report, US authorities can exert far-reaching access rights to cloud data managed by US-based companies, even when that data is stored in European data centers and administered through local subsidiaries. This is because legal instruments such as the Stored Communications Act extended by the Cloud Act and Section 702 of FISA focus on the provider’s control, not the physical location of the servers. This finding is a firm reminder that simply hosting data on European soil does not guarantee protection from extraterritorial legal claims. It reveals structural risks in relying on dominant foreign cloud providers for sensitive data and critical digital infrastructure. For Europe to truly uphold its data protection principles and strategic autonomy, the conversation must go beyond compliance checklists and contractual assurances. We need stronger investment in #opensource digital infrastructure and indigenous technologies that reduce dependency on non-European platforms. Open source fosters transparency and auditability while enabling communities and businesses to build on systems that are not bound by foreign legal systems. If #digitalsovereignty is to mean more than a buzzword, we must accelerate our efforts towards resilient, interoperable, and locally governed alternatives. Only then Europe can ensure that its data is governed by the laws and values that its citizens and organisations expect. Source: https://lnkd.in/dtpXiwYN

What happens if the new US Government tears up the Cloud Act?   Experience shows that without any warning they aren’t shy about ripping up international agreements (trade or otherwise). There’s growing concern that we could wake up one morning to find that the Cloud Act and associated digital sovereignty frameworks are gone with one stroke of a pen.   This isn’t abstract fear-mongering. It’s a very real risk. Personally, I’d hate to be sitting in front of a Select Committee, or my CEO, explaining why we didn’t have a Plan B.   If these legal protections disappear, UK and EU organisations could become non-compliant overnight, just by continuing to store or process personal data in US-owned public cloud infrastructure. That includes M365, AWS, Azure, Google Workspace, Oracle, Salesforce, Dropbox, the list goes on.   All your data would be exposed to extraterritorial US surveillance or seizure, with no meaningful legal route to challenge it under UK or EU law. The EU–US Data Privacy Framework is already on shaky ground. If the US withdraws (again), UK firms relying solely on public cloud could be left stranded, with data protection regulators forced to respond.   So, what’s the low-risk path forward?   It’s hybrid cloud (on premise or hosted). But done properly and not a panicked knee jerk reaction, where the non-public cloud components are delivered and governed locally by you, or a UK-based provider under domestic law. Right workload, right place, right time... (and supporting UK businesses to grow and become future unicorns), growing our tax base and helping communities. This doesn’t just mindlessly tick compliance boxes. It also brings greater control, clearer governance, and a meaningful reduction in business risk.   In this climate, that’s not a nice-to-have… it’s beyond essential. Even if you disagree, its gotta be worth documenting why internally. Don't leave yourself exposed, it could be very career limiting.   Can I sell it to you? Nope, not my bag. But there are plenty of awesome local providers who deserve your attention that I can point you at.

🌍 The Shift in Europe: Moving Away from US Hyperscalers 🌩️ As geopolitical concerns, data sovereignty, and pricing instability grow, European companies are making bold moves in their cloud strategies—and the implications are massive. Over the past 15 years, reliance on public cloud giants like AWS, Microsoft, and Google has skyrocketed. But now, we’re seeing a strategic pivot unfolding across Europe, as organizations mitigate risks and embrace alternative solutions to protect their future. 🎯 Why the shift? ✅ Data Sovereignty: Stricter data protection laws like GDPR and fears over compliance with laws like the US CLOUD Act are driving demand for European-managed cloud solutions and sovereign cloud providers. Organizations are prioritizing control over their sensitive data and leaning into platforms that support their unique privacy needs. ✅ Security and Trust: Concerns over potential government interference, espionage, and vendor lock-in are making European businesses rethink their current reliance on US-based hyperscalers. The rising interest in diverse, multi-cloud strategies and locally governed services reflects the growing importance of trust in cloud decisions. ✅ Economic Predictability: Increasing costs from hyperscalers have raised concerns about long-term pricing stability. Enterprises are recognizing that forward-looking cloud strategies need to include providers that prioritize pricing transparency and tailored solutions. 🎯 What’s the result? A diverse and dynamic cloud ecosystem is emerging in Europe, leaning on open-source technologies, sovereign cloud providers, and tailored private cloud solutions. Platforms like OpenStack and others are paving the way for digital transformation without compromising on compliance or strategy. As businesses explore these new approaches, multi-cloud strategies, hybrid environments, and innovative pricing models are becoming essential for mitigating risks and staying competitive within an ever-evolving cloud landscape. 📢 This shift isn’t just about technology—it’s about geopolitics, trust, and long-term business resilience. Let’s embrace a future where diversity in cloud ecosystems fosters innovation, enhances security, and ensures sovereignty. What are your thoughts on this shift towards sovereign and multi-cloud solutions? 💭 Let’s discuss! #CloudComputing #DataSovereignty #SovereignCloud #MultiCloud #Geopolitics #Innovation

Everyone wants the "German Cloud" – but what does reality tell us? We often talk about digital sovereignty and the preference for German or European cloud providers. That’s an important goal – a clear statement about trust and data ownership. But let’s get real for a moment – and make a quick comparison: Everybody says they’d prefer to drive German. Quality, safety, reliability – it's deep in our mindset. But just look around in traffic: today’s streets are more international than ever. At the end of the day, price, features, or performance often win the race. That’s exactly the kind of contradiction that shows up in the Bitkom #Cloud Report 2025 – and it’s something every company in DACH needs to address in their cloud strategy. Here’s what the report tells us: 🇩🇪 The preference is clear: 97% of companies care about the origin of their cloud provider. 100% prefer German and 96% EU data cetners in direct comparisson. The desire for digital sovereignty is massive. 💸 The reality is pragmatic: Only 12% would accept longer waiting time for services, only 7% will accept 10–20% higher costs for that preference. And just 6% would tolerate compromises on usability or service. ⛓️ Dependency is real: 53% feel locked in by providers regarding pricing and terms. 78% say "Germany is too dependent on U.S. cloud companies". So what does this mean for your cloud strategy? The Bitkom report doesn’t just show growing adoption (90% usage, rising investment) – it highlights a strategic dilemma: How do we align the push for digital sovereignty with real-world needs like scalability, innovation, cost efficiency, and global competitiveness? The good news: We’re starting to see movement. More and more companies are adapting their strategies toward European alternatives. I expect that within the next 12–18 months, we’ll start to see real shifts – major rollouts, migrations, and new sourcing models becoming visible. The real question isn’t if we go to the cloud – but how. To make it work, we need: 🔍 FinOps discipline: 51% expect rising costs. Without structured cost control, we’re burning potential. 🔁 Robust multi-cloud strategies: To avoid lock-in and get the best from multiple ecosystems. 🇪🇺 Competitive European offerings: Not just sovereign – but also powerful, user-friendly, and cost-attractive. We don’t just need the idea of a “German & European Cloud”. We need realistic and executable strategies to guide through the complexity of digital transformation – with sovereignty and innovation in mind. Because let’s face it: our IT landscapes will stay hybrid and diverse for a long time. What matters is how well we orchestrate and govern that mix. What’s your take? How do you navigate between sovereignty and the pragmatic realities? report: https://lnkd.in/eCjftxRx #cloudcomputing #CloudTransformation #DigitaleSouveränität #Bitkom #CloudStrategie #FinOps

BREAKING: Microsoft just announced their grand plan to protect European data from "foreign interference." Sovereign datacenters in Germany and France. European personnel controlling access. Customer-controlled encryption. Sounds familiar? They tried this exact playbook in China. Microsoft partnered with local Chinese companies to run "sovereign" datacenters. Same promises. Same marketing. Same "your data stays local" narrative. Here's what actually happened: When the US government wanted access to one specific Chinese customer's data, Microsoft simply shut down the entire datacenter. The Chinese customer? Locked out of their own data. The "sovereign" protection? Worthless. Now they're selling Europeans the same story. "Data Guardian" will ensure only European personnel control access. "External Key Management" gives customers control. "National Partner Clouds" operated independently. All meaningless when push comes to shove. The fundamental problem remains: These datacenters are still connected to Microsoft's global infrastructure. There are no "internet walls" in the middle of the ocean blocking data access. If the US government decides they want access to European data, and Microsoft has to comply, all these "sovereign" protections become theater. Why this matters for your organization: This isn't about bashing Microsoft's technology. Their cloud services are excellent. But don't let marketing promises about "sovereignty" drive your infrastructure decisions. Make choices based on: Your actual compliance requirements Real data residency needs Operational control you can verify Contract terms that matter The lesson from China is clear: When geopolitics meets technology, sovereignty promises crumble fast.

Your cloud isn’t a fortress. It’s a colander. 🔒 When a major healthcare provider’s “secure” VPN was breached in 2023 via a compromised SaaS tool, attackers roamed undetected for 72 hours. Result? 200K patient records leaked. Their mistake? Trusting a perimeter that no longer exists. 𝗪𝗵𝘆 𝗧𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗙𝗮𝗶𝗹𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗖𝗹𝗼𝘂𝗱 – 𝗩𝗣𝗡𝘀 𝗮𝗿𝗲 𝗮𝘁𝘁𝗮𝗰𝗸 𝗵𝗶𝗴𝗵𝘄𝗮𝘆𝘀: 1 stolen credential = Total network access. – 𝗟𝗮𝘁𝗲𝗿𝗮𝗹 𝗺𝗼𝘃𝗲𝗺𝗲𝗻𝘁 𝘁𝗵𝗿𝗶𝘃𝗲𝘀: 68% of breaches spread cross-systems once inside (IBM X-Force). – 𝗦𝘁𝗮𝘁𝗶𝗰 𝗽𝗲𝗿𝗺𝗶𝘀𝘀𝗶𝗼𝗻𝘀 𝗿𝗼𝘁: Employees keep access to systems they haven’t touched in years. 𝗭𝗲𝗿𝗼-𝗧𝗿𝘂𝘀𝘁 𝗙𝗶𝘅𝗲𝘀 𝘁𝗵𝗲 𝗣𝗹𝘂𝗺𝗯𝗶𝗻𝗴 → 𝗔𝘀𝘀𝘂𝗺𝗲 𝗯𝗿𝗲𝗮𝗰𝗵. 𝗔𝗹𝘄𝗮𝘆𝘀. • Microsegment networks: A breach in marketing shouldn’t reach R&D. • Authenticate 𝘦𝘷𝘦𝘳𝘺 request: Even CEO emails get verified. → 𝗔𝗱𝗼𝗽𝘁 “𝗡𝗲𝘃𝗲𝗿 𝗧𝗿𝘂𝘀𝘁, 𝗔𝗹𝘄𝗮𝘆𝘀 𝗩𝗲𝗿𝗶𝗳𝘆” • Replace VPNs with granular access (e.g., Google’s BeyondCorp). • Enforce real-time device health checks before granting entry. → 𝗟𝗼𝗴 𝗼𝗯𝘀𝗲𝘀𝘀𝗶𝘃𝗲𝗹𝘆 • Monitor east-west traffic (not just north-south). • Use AI to flag anomalies, like a dev accessing HR data at 2 AM. 𝗧𝗵𝗲 𝗣𝗿𝗼𝗼𝗳 • Companies using Zero-Trust cut breach costs by 43% (Palo Alto Networks, 2024). • Google slashed breach response time by 94% after implementing BeyondCorp. • 81% of hybrid cloud breaches start with overprivileged users (Cost of a Data Breach Report). The perimeter is dead. Stop guarding gates. Start validating 𝘦𝘷𝘦𝘳𝘺 handshake. #ZeroTrust #CloudSecurity #Cybersecurity

🇺🇸🇪🇺✈️ Airbus wants a sovereign #EU cloud to keep its sensitive #data out of reach of #USA regulation, especially the Cloud Act. #Sovereignty won’t happen unless the market needs it. The recent Air France-Starlink episode made that clear. ☝️ What has changed is the geopolitical context. Rising tensions under the Trump administration make it a necessity for European firms to secure continued access to their data in case of escalation and to limit unwanted access enabled by the US #Cloud Act. That law allows US authorities to request data held by US companies even when it is hosted outside the US. This is why Airbus wants to avoid Microsoft, Amazon, and Google for its most critical applications. 📊 Airbus estimates an 80% chance of finding a fully European solution. If it works at this scale, it will show that sovereign cloud can work in practice, and others may follow. The big change is that the market now needs #sovereign solutions, whereas previous initiatives were politically driven (and mostly failing).

🧼 Is your "Sovereign Cloud" actually sovereign, or is it just "Sovereignty Washing"? Here is a hard truth for CISOs: If your cloud provider says "Your data stays in Germany" but their support team in Seattle has root access... you aren't sovereign. If your provider says "Bring Your Own Key" but their software has to decrypt your data in memory to process it... you aren't sovereign. If your provider is a "local partner" but the underlying stack is licensed closed-source code from a US giant subject to FISA 702... you aren't sovereign. We have created a massive industry of "Compliance Theater." We are checking boxes to satisfy NIS2, while ignoring the technical reality that US tech stacks are fundamentally under US jurisdiction. Stop buying the label. Audit the architecture. #CyberSecurity #CISO #CloudArchitecture #SovereignCloud #Compliance

🚨 ☁️ - New Recorded Future Insikt Group report! This research examines how cloud intrusions are converging on a consistent pattern: adversaries rarely need to deploy traditional malware once they obtain a valid identity. The operational pivot is quiet but consequential. Access now precedes tooling. After authentication, attackers increasingly rely on native platform functionality to enumerate environments, manipulate backups, alter encryption states, and move data through sanctioned workflows. From the system’s perspective the activity is compliant. The infrastructure does exactly what it was designed to do, just for the wrong principal. What emerges is a different kind of compromise. Historically an intrusion introduced foreign code into a trusted environment. In cloud environments the attacker instead borrows trust from the environment itself. Detection therefore becomes less about identifying artifacts and more about interpreting intent, which is a far less stable signal. Administrative behavior, automation, and malicious action begin to occupy the same telemetry space. That shift quietly reshapes response and policy. Attribution frameworks built around infrastructure and tooling struggle when the operational layer is indistinguishable from legitimate enterprise administration. Actions that produce real operational impact can occur through standard consoles, tokens, and APIs. The observable evidence increasingly looks like misused governance rather than external penetration. The dependence on shared platforms compounds this effect. A single compromised vendor or federated identity can propagate access across multiple tenants, turning what would once have been an isolated incident into a cross organizational event with systemic characteristics. The boundary between incident response and resilience planning narrows accordingly. Cloud security is therefore drifting away from the traditional model of defending systems toward validating authority. The practical question is less whether an environment was breached and more whether the actor operating inside it had the right to act at all.

🇪🇺 Amazon Web Services (AWS) just opened the AWS European Sovereign Cloud, and the technical architecture behind this is super fascinating for anyone building sovereign cloud solutions. 🔒   𝐓𝐡𝐢𝐬 𝐢𝐬𝐧'𝐭 𝐣𝐮𝐬𝐭 𝐚𝐧𝐨𝐭𝐡𝐞𝐫 𝐫𝐞𝐠𝐢𝐨𝐧...𝐢𝐭'𝐬 𝐚 𝐜𝐨𝐦𝐩𝐥𝐞𝐭𝐞𝐥𝐲 𝐢𝐧𝐝𝐞𝐩𝐞𝐧𝐝𝐞𝐧𝐭 𝐜𝐥𝐨𝐮𝐝 𝐢𝐧𝐟𝐫𝐚𝐬𝐭𝐫𝐮𝐜𝐭𝐮𝐫𝐞 𝐝𝐞𝐬𝐢𝐠𝐧𝐞𝐝 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐠𝐫𝐨𝐮𝐧𝐝 𝐮𝐩 𝐟𝐨𝐫 𝐝𝐢𝐠𝐢𝐭𝐚𝐥 𝐬𝐨𝐯𝐞𝐫𝐞𝐢𝐠𝐧𝐭𝐲. The architecture delivers physical and logical separation from other AWS regions, with all operations controlled by EU-resident employees. What makes this technically significant is that AWS has built this as a standalone environment while maintaining API compatibility and service parity with the broader AWS ecosystem.   From an infrastructure perspective, customers get access to comprehensive cloud services across compute, storage, databases, networking, security, analytics, and AI/ML capabilities. All data processing, storage, and metadata remain within EU boundaries with cryptographic isolation and independent control planes. The platform supports modern application architectures including serverless, containerized workloads, and traditional infrastructure patterns.   The technical implementation addresses 3️⃣ critical requirements: 🔹 data residency (all customer data stays in the EU), 🔹 operational autonomy (EU-resident staff control operations with no dependencies on non-EU entities), and 🔹 resilience (independent infrastructure with multi-AZ architecture).    For architects building regulated workloads, this means you can now deploy AI/ML pipelines, real-time analytics platforms, and mission-critical applications while meeting NIS2, GDPR, and sector-specific compliance requirements without architectural compromises.   This represents a significant engineering investment in sovereign cloud infrastructure and opens new possibilities for European organizations to accelerate cloud adoption at scale. 🚀   📖 https://lnkd.in/ej2hKtZm #AWS #CloudArchitecture #DigitalSovereignty #TechnicalLeadership