As geopolitical tensions rise, organizations face new challenges for protecting their data in the cloud: shifting regulations and increased cyber risk. That means, in some cases, evaluating alternatives to major U.S.-headquartered cloud providers.
While use of a sovereign local or regional cloud provider reduces certain geopolitical risks, CISOs must consider the security challenges they pose on both sides of the shared responsibility model. Cloud providers under pressure to offer cloud sovereignty often do so at the expense of other business and technical capabilities. They typically have weaker security for their cloud infrastructure than hyperscale providers, often lacking native governance, resilience and security features and a third-party ecosystem to augment security controls.
CISOs, then, must ensure that their cloud workload placement appropriately restricts use of these alternative providers by focusing on security of the cloud and security in the cloud.
Ensuring cloud security
A cloud provider must secure its data center facilities, hardware, software and services. And it must defend itself against external cyber threats as well as have strong defenses against malicious insiders, because nation-states threat actors can place operatives within a cloud provider for espionage or cyber warfare purposes.
While many alternative cloud providers hold ISO 27001 certifications, that only certifies that the provider has made a good-faith attempt at security. It does not certify the actual security controls the provider employs to secure their environment.
To that end, CISOs should not treat ISO 27001, Germany’s BSI C5 Type 1 audit or similar audits as any guarantee of adequate security of the cloud — especially if the certification is not paired with a controls audit (such as BSI C5 Type 2).
Besides considering audit certifications when choosing an alternative cloud provider, CISOs also should confirm whether alternative cloud providers have firmware protection, secured internal access and data destruction elements in their infrastructure.
Security in the cloud
Cloud IaaS and PaaS both function on a shared responsibility model. While the cloud provider is responsible for the security of the cloud, the customer is responsible for the security of their own environment and data in the cloud.
That means the cloud customer must implement appropriate governance, cloud workload protection and other security measures. The organization is also responsible for determining what controls they want and for correctly implementing them.
Cloud configuration mistakes can lead to breaches. While provider-native controls are often ideal, many organizations choose to also implement third-party layered and compensation controls, which comes with their own risk. That’s the tradeoff: CISOs often are forced to treat alternative cloud services like on-premises operations, which ends up weakening the organization’s security posture and eclipsing the benefits of the cloud.
Unfortunately, not all alternative cloud solutions were designed for enterprise use. Many are geared for small businesses with a single IT administrator, with the assumption that the solution would host a public-facing website. Consequently, they often have deficiencies, such as a single-account model instead of multiple management partitions, full internet exposure instead of private networks and limited network security.
CISO playbook for working with sovereign cloud providers
CISOs must remain directly involved in approving sovereign cloud platforms, particularly for sensitive or critical workloads. The goal is not to block adoption, but to take a “yes, and here’s how” approach, enabling a mix of hosting options while keeping cyber risk visible and controlled.
Here are some tips:
Establish a clear understanding of sovereign and legal requirements
Work with legal counsel to identify applicable regulatory frameworks and the associated security, data protection and resilience requirements for each application and workload. This assessment must go beyond sovereignty alone.
Catalog and group workloads
Identify all in-scope workloads and group them based on regulatory obligations, internal security and resilience requirements, sensitivity, criticality and business impact. Aim to minimize the number of workload tiers, while still reflecting environmental complexity.
Define required controls for each workload group
Document the minimum effective controls for every tier, including organization-implemented controls, controls expected from the hosting provider and requirements related to sovereignty, localization and resilience. Input from multiple teams is essential, but the output must remain pragmatic and enforceable.
Assess regional and sovereign providers against control requirements
Use structured provider risk frameworks as a starting point and then evaluate in detail whether alternative platforms can meet the defined control baseline for each workload group.
Build a workload placement matrix
Create a matrix that includes all viable hosting options including global hyperscalers, hyperscale sovereign offerings, regional cloud providers and on-premises environments. Determine where non-negotiable sovereignty, security, resiliency and similar controls are, and are not, available.
Map providers to permissible workload types
Use the matrix as a decision rubric for workload placement. Some sovereign workloads may be suitable for regional cloud platforms, but many will be most effectively hosted on-premises based on the requirements.
The bottom line: Effective sovereign cloud decisions require CISOs to ensure that sovereignty objectives do not come at the expense of long-term security, resilience and capability.
Charlie Winckless is a VP analyst on Gartner’s Cybersecurity Leadership team. Gartner analysts will provide additional insights for security and risk management leaders at the Gartner Security & Risk Management Summits, taking place June 1-3 in National Harbor, MD, July 22-24 in Tokyo, Aug. 4-5 in Sao Paulo and Sept. 22-24 in London. Follow news and updates from the conferences on X and LinkedIn using #GartnerSEC.
