The sovereign cloud and offshore hosting are two seemingly opposite concepts that both have an important role in maintaining data protection through data residency. “Data residency” is the legal jurisdiction where the data for your information systems are stored and processed. While a “sovereign cloud” brings data closer to your headquarters, branch offices, or customers, “offshore hosting” purposefully places data in a foreign jurisdiction with strong privacy and freedom of speech laws.
The purpose of adopting a sovereign cloud is usually to comply with local laws and regulations, which is especially important for government organizations and regulated industries such as finance, legal, healthcare, and education. On the contrary, offshore hosting is usually sought out where the perceived protections of a foreign country’s data protection laws are stronger than in one’s own jurisdiction.
This may be particularly important for journalists, activists, and NGOs who are carrying out activities which are legal, but that may face persecution from local authorities. Also, offshore jurisdictions often offer advantages for business, tax, and financial planning – serving as robust financial centers with good quality banking and legal systems. As you expand your business abroad, moving your infrastructure to such jurisdictions may help strengthen ties with local employees, service providers, and trading counterparties.
Here at Autoize – we focus on helping customers make use of open source, self-hosted software applications that can reside in either a sovereign or offshore cloud. Notably, the list of applications includes privacy respecting alternatives to Microsoft 365 and Google Workspace, in addition to AI applications that expressly do not use your prompts or embeddings for their own model training.
The applications that we support rely on industry standard environments such as virtualized Linux servers, Docker containers, and Linux Foundation-certified Kubernetes distributions. Wherever supported, we also use open source DBMS backends such as MariaDB/MySQL, PostgreSQL, and MongoDB. This facilitates the portability of your data between cloud providers, in case the need arises to move between hosting providers, or even to a private cloud at a later date.
Choosing an open source solution for your data with a cloud-agnostic architecture is your best defense against “deplatforming” by Big Tech companies which may decline to service customers with certain political leanings or in certain industries deemed “controversial.” Open source applications enable you to exercise your “free speech” rights without fear of running afoul of a centralized platform’s sensibilities or biases.
What is Sovereign Cloud? Compliance and Risk Minimization
A “sovereign cloud” leverages datacenters and personnel that exclusively reside within a single country, or a legal jurisdiction which has harmonized its laws in the area of data protection (e.g. the EU and European Economic Area for the GDPR). A sovereign cloud might be a public, community, or private cloud – available to all the customers of a particular cloud services provider, a group of customers (e.g. a “shared service” for a consortium of companies), or exclusively for a single customer (e.g. a country’s national government).
Sovereign clouds include the EU/EEA/Swiss regions of European cloud providers such as Hetzner (Germany), OVHcloud (France), Scaleway (France), and Exoscale (a subsidiary of Austrian-based A1 Group), as well as global cloud providers like Oracle Cloud which have established a local footprint to operate their European regions and limit the exposure to hostile legislation such as the US CLOUD Act.
In many cases, sovereign cloud providers are also able to provide attestations to compliance with regulatory standards such as FedRAMP, FIPS 140, ISO 27001, NIST 800, SOC Type II, or provide certain documentation (e.g. a Report on Compliance or Business Associate Agreement) which may help you comply with industry requirements such as PCI DSS (for card payments), FERPA (for education), or HIPAA (for healthcare).
We are seeing CIOs and CTOs increasingly seek out sovereign cloud solutions to accelerate their organization’s journey to the cloud, where it may not have otherwise possible (due to regulatory requirements or risk) with other public cloud offerings. When a sovereign cloud strategy is properly implemented, it’s a win-win for developers/IT and executives.
What is Offshore Cloud? Free Speech and Privacy Protection
An “offshore cloud” is usually situated in jurisdictions that are deemed to have strong data protection laws that favor free speech and privacy protection. In practice, it is important to choose a country with a strong judiciary and rule of law, where the letter of the law is enforced in the spirit of which the law was written, without prejudice to political pressure from domestic or foreign actors. A country with a robust rule of law will typically refuse to order its local telecommunications providers to divulge information to foreign law enforcement unless there is “probable cause” to suspect a criminal act in both countries (the concept of “dual criminality”).
In general, countries deemed to strongly protect privacy and freedom of speech include Finland, Iceland, Norway, Singapore, and Switzerland, but the best option for your particular use case will depend on your specific threat model. For example, for some political speech or journalistic reporting, the First Amendment of the US Constitution and the prohibition of the FISA law on surveilling domestic targets may actually provide stronger protections than going abroad to an offshore jurisdiction. On the other hand, if you are an international company that is mainly concerned about escaping the prying eyes of the “Five Eyes” or “14 Eyes” intelligence alliances or harassment from your home government, then the offshore jurisdictions may be more favorable.
Professional service providers such as attorneys, accountants, offshore consultants, and corporate service agents (CSPs) routinely handle clients’ sensitive documents including: passports, ID cards, tax returns, financial statements, business registrations, commercial invoices, address verifications, and background checks. These offices may particularly benefit from situating their information systems in the same offshore jurisdiction(s) where they transact business. As many of their clients hail from countries with delicate political situations, they will certainly feel a greater peace of mind with a provider who has taken extra steps to safeguard their affairs in a reputable jurisdiction.
Our solutions based on Nextcloud Hub, Collabora Office, and eID Easy are even equipped to provide secure file drops for each client, watermarking of documents for viewing in a secure, virtual data room, and collecting legally binding, qualified e-signatures (QES) using government-issued smart cards.
The Difference Between Privacy and Security
Privacy and security go hand-in-hand. Without security, there is no privacy. Therefore, no discussion of data protection is complete without also considering the measures you need to take to protect your cybersecurity.
Storing your confidential data in your own country, or a different country with laws that you trust can protect your privacy from being intruded upon by legal authorities such as law enforcement, whose investigative powers are (theoretically) limited in scope by the law. In most civilized countries, law enforcement cannot generally introduce evidence into the courtroom that is gathered using unlawful means – the so-called “fruit of the poisonous tree.” However, even in such countries with strong “rules of procedure and evidence”, there are regular examples of malfeasance by police departments, state, and federal agencies – furthering their investigation using evidence that is later deemed inadmissible.
Security becomes much more of a consideration than any country’s privacy laws when your threat model involves actors who are willing and able to go beyond the confines of the law to achieve their objectives. This is particularly true if the threats are coming from abroad, where it may be difficult or impossible to begin an inter-jurisdictional investigation or lawsuit. Examples of these actors might include: competitors engaging in corporate espionage, unscrupulous politicians who may have co-opted government bodies, to outright criminals and stalkers. Attackers also commonly use no-logs VPNs, anonymous proxies, “bulletproof” hosting providers, botnets, and dark web protocols like Tor to mask their activities from being traced back to their physical IP address – where their identity could normally be revealed by subpoena.
The recourse you may have under laws that prohibit “hacking” or “unauthorized access to a computer system” can usually only be pursued through the legal system long after the alleged harm has occurred. A “defense-in-depth” approach to security can deter and prevent unauthorized access to your confidential information in the first place, preventing harm to you and your business partners. As the saying goes, an ounce of prevention is better than a pound of cure.
How Cybersecurity Contributes to Protecting Privacy
All information systems we design on behalf of our clients keep in mind security best practices, such as proper network architecture, firewall configuration, encryption of data in-transit, and authentication for critical services such as your database. For clients at a heightened risk of intrusion or who handle particularly sensitive data, our architects are knowledgeable in employing additional security measures such as:
- LUKS encryption of data at-rest, including on clustered filesystems
- Network level antivirus, and rule-based detection of ransomware activity
- Web Application Firewall (WAF) against OWASP and MITRE attacks
- Geo-fencing your applications from hostile countries, regions, and ASNs
- IDS/IPS identification of emerging threats in your network traffic – based on open and enterprise rulesets (for example, Abuse.ch or Proofpoint ET Pro)
- Centralized management of “secrets” such as passwords & access tokens
Our mission is to defend the world’s professionals, human rights defenders, and businesses from unwarranted intrusion into their legitimate affairs through secure sovereign and offshore cloud solutions.
Contact our Cloud, SecOps, & AI consultants to discuss your needs. You may also write to us securely from your ProtonMail account or any PGP-encrypted email using the information displayed at this page.
