What is T-Systems Sovereign Cloud?

Cloud computing is the leading asset in enabling digital transformation in Europe, and an overwhelming majority of businesses have already adopted it. Studies show that 75% of businesses within this region use cloud computing services to operate. This is because these enterprises have realized that the public cloud has the power to enhance their flexibility and responsiveness without any operational overhead.

Data sovereignty concerns in Europe

Given that the cloud has numerous benefits, its adoption is not universally simple across businesses or institutions in different industries in Europe. One particular concern is data sovereignty, especially for enterprises in regulated industries such as finance and healthcare. This is because major cloud providers, like Google Cloud, are not European-owned.

However, these cloud providers do assist European companies and some public corporations in collecting and storing data that originates in Europe. Consequently, there is a sense that European enterprises relinquish control over their data to these foreign cloud providers when they decide to innovate with the cloud.

Addressing data sovereignty concerns in Europe

Recently, European companies, organizations, and governments have collaborated to develop measures to address these data sovereignty concerns. Surrendering data sovereignty for cloud innovation is in direct conflict with this initiative. At the same time, eliminating cloud adoption is not an option since Europe’s economic growth potential relies on digitization. Therefore, a solution is needed that will enable European enterprises to migrate to the cloud while still maintaining complete control over their data and cloud infrastructure. This is where the sovereign cloud comes into play.

A sovereign cloud as the solution

Eine Sovereign Cloud refers to a cloud infrastructure that is designed and operated by a trusted entity within a specific jurisdiction to meet the desired digital sovereignty requirements in that jurisdiction. It works to ensure that the data generated within a sovereign state resides and is operated in that state, preventing it from being transferred across its borders without authorization. This helps enterprises and public corporations within the region to have a trusted environment for storing and operating their data in the cloud.

A sovereign cloud is built upon these principles:

Data sovereignty – control over encryption and access to data
Operational sovereignty – visibility and control over the operations of the cloud provider
Software sovereignty – the ability to run and move cloud workloads without being locked into a specific vendor

In 2020, Google Cloud set out to deliver its cloud services while ensuring the highest levels of digital sovereignty for its users. A year later, it successfully achieved this vision in collaboration with T-Systems for users in Germany.

T-Systems Sovereign Cloud: Cloud on Germany Region’s Terms

T-Systems Sovereign Cloud is a joint service offered by Deutsche Telekom’s T-Systems International and Google Cloud. It aims to provide a sovereign cloud for public and private organizations in Germany. In this partnership, T-Systems independently manages sovereignty controls such as identity management and encryption on GCP for users in Germany.

By leveraging T-Systems International’s (TSI) sovereignty controls, clients of Google Cloud in Germany can have more control over their data cloud infrastructure. This is particularly important for organizations in the public and private sectors that need to comply with Europe’s sovereignty requirements. All Google Cloud services will be available for users in this region, so they won’t have to compromise on functionality to achieve their sovereignty objectives. T-Systems is a trusted entity that will provide independent oversight over users’ workloads on Google Cloud.

Key Features

T-Systems Sovereign Cloud offers the following key features:

Enforcing data residency

It includes data residency controls that ensure that customer data originating from Germany is stored and processed exclusively within data centers in Germany. This data is prevented from being transferred outside the German borders. TSI restricts the deployment of workloads to the German region as part of the sovereign controls.

Support for sovereign controls

In the event that users in this region encounter issues, technical support will be provided by EU-authorized individuals within the EU region. This technical support may involve the processing of critical data, and having the support staff located within the EU region prevents data from being transferred across the borders.

External key management

TSI is responsible for storing and managing the encryption keys, which are kept outside of Google’s infrastructure. To decrypt customer data, a request is made to T-Systems for the externally managed key associated with the customer. Every request made by customers will be accompanied by a justification, and customers can programmatically block requests for any reason.

Fine-grained access control

T-Systems Sovereign Cloud will log and audit every time an admin accesses customer data or workloads. It will only allow access when the pre-defined conditions are met to ensure transparency.

Supported services

T-Systems Sovereign Cloud supports the following Google Cloud products and services. However, the implementation is different to meet the compliance requirements.

Cloud External Key Manager
Cloud KMS
GKE – Aggregate analysis of kernel issues is disabled
Cloud Logging – Log alerts and log-based metrics have been disabled
Cloud SQL
Cloud Storage – IAM handles access management to new buckets
Compute Engine – Local SSDs and viewing serial port output have been disabled.
Persistent Disk

This is simply a summary of the supported services. You can dive deep into policy constraints and how they impact these services from this guide.

In addition to the aforementioned features, T-Systems will also monitor cloud operations to enhance security. These features allow clients in this region to utilize Google Cloud as if it were a European service that meets European sovereignty requirements. As a result, T-Systems Sovereign Cloud is valuable for various use cases.

Use cases and the importance of Sovereign Cloud in the DACH region

As previously mentioned, EU countries have recently taken steps to prioritize data sovereignty. The T-Systems Sovereign Cloud service offers countries in the DACH region a sovereign cloud solution operated by a trusted entity (TSI). This means that organizations in this region can fully utilize the capabilities of Google Cloud without worrying about compromising data sovereignty.

This is perfect for the following use cases:

A digital patient journey in Healthcare

With T-Systems Sovereign Cloud powered by Google Cloud, a digital patient journey can be realized. Healthcare professionals in this region can store patient diagnoses, progress, test results, and any new developments on the patient’s digital file on T-Systems Sovereign Cloud. This helps to streamline patient referrals and clinical handovers and makes it easy for healthcare professionals to accurately monitor patients. By making this information readily available, T-Systems Sovereign Cloud offers patients comprehensive support in a time of distress while legitimately protecting their personal healthcare information.

Digital Sovereignty in the automotive industry

Multiple entities are involved when creating a car, and they work together to produce and service it. Each entity relies on data for process optimization, and with T-Systems Sovereign Cloud, they have a solution that allows sovereign data use in the cloud. For instance, steelworks (and other OEMs) have data on the correct alloying ingredients and manufacturing methods required to produce their product. They would not want other companies to access this information. T-Systems Sovereign Cloud ensures that they can process sensitive information on steel manufacturing without making it public. In addition, car manufacturers can collect valuable data on drivers’ usage behavior, which they can use to provide value-added services. T-Systems Sovereign Cloud allows for the legally compliant processing of personal data, enabling car manufacturers to legally obtain and utilize this information.

The application of T-Systems Sovereign Cloud extends to other manufacturing industries such as aeronautics, electronics, etc. If these industries need to process, send, and receive data on Google Cloud, they will find this solution valuable.

Conclusion

Protecting sensitive data is a top priority for the German region and Europe as a whole. This is why data sovereignty concerns are a barrier to innovation with the cloud for organizations in this region. T-Systems Sovereign Cloud alleviates these concerns by providing a cloud solution operated by a trusted entity (TSI). This ensures that organizations in Germany can comfortably use Google Cloud services to store and share their data without worrying about it leaving their borders.