Sovereign Clouds Demystified, The Blueprint for Resilient, Secure, and Compliant Digital Businesses.
John Kundtz:
Hello, everyone. My name is John Kundtz, and welcome to this special edition of the Cloud Collective Podcast.
Today, we'll be diving into one of the hottest topics in our industry right now: Sovereign Clouds.
I'm thrilled to have with us Distinguished Engineer and Sovereign Cloud Guru Greg Pruitt. What he'll be offering us today. Invaluable insights for those exploring sovereign cloud solutions with tips on how to avoid common pitfalls and mistakes from the outset.
Greg, welcome to the show. How are you doing?
[00:00:44] Greg Pruett: Thanks, John. It's great to be working with you since we worked together back at IBM.
[00:00:49] John Kundtz: Yeah, we got together down in Austin a few months ago, and it was interesting to reconnect and see your journey and your background, and this should be a fun time together.
Greg, as I relearned, I knew that back in the day when we worked together at Big Blue, you've had a really impressive technical career. I would just take our viewers or our listeners through, walk us through the pivotal moments and some of your experience that has shaped your IT journey and how it developed you to be today involved in even starting to develop this expertise in Sovereign Cloud.
[00:01:25] Greg Pruett: Thanks, John. Let me share a little bit about my background. I'm currently a vice president and Distinguished Engineer in the Kyndryl CTO office, responsible for private and hybrid cloud. As you said, my background is very technical.
I spent a lot of my career building systems, building system hardware, and system software in multiple companies. Prior to coming to Kyndryl, I actually ran an innovation lab at my previous company, and we worked with top industry partners on developing advanced technologies. In that role, I did a lot of studies on security hardware and software to help combat this massive rise in cybercrime.
Actually, A personal note: if you've read my recent blogs, you've seen that my family was personally affected by a ransomware attack that occurred at the University of Manchester in the UK, where my daughter was doing an international study.
Cybercrime, cyberwarfare, and data theft are now absolutely pervasive issues for everyone, for governments, for businesses, and for individuals.
So, I have both a professional as well as a personal interest in CyberCloud.
[00:02:51] John Kundtz: I did see that on one of your blog posts, and yeah, that was a very interesting, a sort of a scary experience—one of the blog posts on Sovereign Cloud that perked my interest in doing this podcast. So, for listeners outside of Kyndryl, if you are a distinguished engineer in Kyndryl, you are one of the top technical practitioners.
So there's very few of them, and I've had great respect and admiration for the distinguished engineers and the fellows that I've worked with over my career, both at IBM and now here at Kyndryl. All right, for listeners who may be unfamiliar with this concept we're talking about, what exactly is Sovereign Clouds, and why have they become so crucial for companies today?
[00:03:35] Greg Pruett: Yeah, first off, Sovereign Cloud is a fairly recent term in the industry. So, if you haven't heard the term, it's not like you've missed out on a big wave. But it's a very recent and very relevant discussion right now. Sovereign clouds provide a new architecture to improve data control and privacy.
Governments are increasingly viewing data privacy and data control as an issue of national security. And so what you're starting to see is more and more governments passing laws related to requirements for data control. Many countries, I think over 120 countries, now have laws that govern data privacy.
And let me define the term data sovereignty. Data sovereignty is the requirement that private data be kept in country or in the region where it was created. Certain types of data are restricted and cannot be transmitted across national borders. And laws require that data and applications using the data can only be accessed by approved people in country.
Constructing a sovereign cloud is a way to address these requirements, these legislative requirements around the world. A sovereign cloud can be a public or private cloud. In fact, we're seeing many of our clients implement them as private cloud. The cloud operates in a particular country, and it meets local compliance and privacy standards. So, with a sovereign cloud, all data stays on sovereign soil and is operated by local residents.
In Kyndryl, Sovereign Cloud is a cross-practice collaboration. We're working together across multiple practices. The cloud practice, Kyndryl Consult. Network and Edge, and Security and Resiliency. We're working together to build comprehensive solutions for our clients to address these challenging times.
[00:06:05] John Kundtz: Greg, it sounds like many things, particularly as you get more advanced and more complex, it's not just about a bunch of technology that's linked together or connected. It's really about some processes and some skills and some governance. To keep the data where it's supposed to be and not let it go to where it shouldn't be.
That's my simple vision of what you just said, and as we all know, that's harder said than done. It sounds like a simple concept, but I think with data becoming so powerful, particularly in the world of AI, he who owns the data and controls the data it's gonna be a competitive advantage.
It could be a disadvantage if the wrong people got hold of your corporate IP or your corporate data, whether you're in finance or healthcare, or it could be costly to a company if you violate GDPR rules in Europe. It could be financially detrimental, but it could also be from a compliance standpoint, like I said, the wrong people getting hold of the wrong data. Does that make sense?
[00:07:11] Greg Pruett: Yeah, absolutely. I think it's an issue for individual consumers and their own data protection. It's an issue for businesses, and businesses can be fined by not following data privacy standards. And, like I said earlier, it's now considered an issue of national security by the government.
[00:07:32] John Kundtz: So what I've learned in my almost four decades of being in technology is that a lot of these kinds of newer initiatives or approaches or concepts. People jump on the bandwagon and then try to go full steam ahead.
And so I appreciate just level setting what Sovereign Cloud is, but the other thing I want to just spend some time talking about is if you were to give somebody that's interested in moving forward.
What are the two most common mistakes you've seen organizations encounter when they're trying to move to a sovereign cloud architecture?
[00:08:09] Greg Pruett: That's an interesting question, John. I would say probably the most common mistake is trying to design a cloud strategy without a thorough understanding of all the recent legislation around data privacy and sovereignty. Maybe it's not as much a mistake as it is just a lack of knowledge or the complexity of the current environment.
The global landscape for these Data privacy regulations is not uniform. They differ from country to country, and even within the EU, they differ from country to country in some ways. So, this can be difficult to navigate and even more difficult to stay current on everything.
John, you just mentioned GDPR, and I expect many of our listeners are likely familiar with GDPR. This is the European Union's General Data Protection Regulation. I consider this to be a set of groundbreaking legislation for privacy and data protection that went into law back in 2018. And in many ways, GDPR started this discussion of Sovereign Cloud. It kicked off a lot of derivative legislation around the world.
And today, more than 120 countries have international data privacy laws.
[00:09:37] John Kundtz: Which means if you don't understand what each of those 120 countries, the nuances of the idiosyncrasies, you have to understand each one of those. That's a lot of work if you're trying to do business in even a handful of those countries.
With all the training we've had, there's certainly financial consequences if you inadvertently don't comply to the GDPR or other in-country regulations. What you're saying is first mistake is to understand what you're designing towards or what you're architecting towards first so that when you build it, it will meet the needs of the area of the country where you're doing business.
Did I paraphrase that correctly?
[00:11:17] Greg Pruett: Absolutely. In my mind, a lot of companies have been on cloud journeys, and the cloud journey from the past decade has always been about cloud first. Let's build a strategy to move all of our IT to the cloud. And I think that discussion's changed, quite honestly. I think because of data privacy, data control, the calls of widespread cybercrime, and new geopolitical concerns, data is now a key consideration in the design of cloud.
It's driving people to build much more thoughtfully and be much more careful in their design of data, location, and construction of hybrid clouds.
[00:10:19] John Kundtz: Interesting. Very interesting. So that was number one. So, what's the second one you would suggest people think about before they move forward?
[00:11:16] Greg Pruett: I would say as a second mistake is thinking about the design of Sovereign Cloud as Just being about the IT systems.
Sovereign Cloud, in particular, is also about people and processes. Sovereign Cloud really requires a robust operational model, and the key to that is the user access controls to be able to ensure access to the data based on a number of things that you may not normally think about. I mean, access to the data has to be controlled by geolocation.
It has to be controlled based, in some cases, on the nationality or the residency of operators or people accessing the data, and this has to be controlled not just on storage devices but also through any application or any APIs that can access the data. In certain cases, data access may be even further restricted to certified staff or citizens with a certain security clearance if you think about government or military-type applications.
So processes have to be employed. Place to ensure those access controls and to continuously review those access controls and make sure the right people can access the right data.
[00:12:47] John Kundtz: I guess it's how things change and then how they stay the same. I think the technology is the easy part. I used to refer to it when I was in the IBM consulting group, and it was the three-legged stool.
We needed the technology for sure, but if we didn't have the skills and the people and the processes to deploy it and use it, I always say, you take one of those legs off the stool, and the stool falls over. And it sounds like it's very similar.
[00:13:17] Greg Pruett: One more thing to think about in terms of that operational consideration.
If you're already using consulting or service providers, you may also need to re evaluate. Your contracts or your agreements to understand the capabilities of your service provider to actually operate locally in country. Your service provider needs to be able to provide local delivery personnel and needs to provide operational procedures that can be fully executed in country.
Without having to use global processes. So, all of those things are things to think about in terms of operational model.
[00:14:01] John Kundtz: Great points. All right. I want to start wrapping this up for any businesses that are just embarking on this journey. What would be the number one piece of advice you'd tell them today to get started and get off on the right foot?
[00:14:15] Greg Pruett: Actually, what I think I would say is you don't have to do it all yourself. Schedule time to consult with experts on your data privacy and your security posture. You can bring in a consultant to do an assessment of your readiness for data sovereignty legislation in various countries where you operate.
It's hard to be an expert on. All of the legislation in many countries, so my advice would be to look for help, and I'll be open to rethink your cloud strategy. Think carefully about how your cloud strategy will be affected. By data sovereignty requirements, many enterprises are now adjusting their approach to cloud, no longer just move everything to public cloud but instead focusing on optimizing their fleet as a distributed cloud based on data requirements.
[00:15:14] John Kundtz: Really, really interesting. This is probably a topic that we could probably spend an hour or two talking about. So, I do appreciate scratching the surface. It's been tremendously insightful. Thank you for lending your expertise. And for those that are interested in learning more, what resources would you recommend on the topic besides your blog post on LinkedIn, which I will put into the show notes, it's very detailed, and it gets into a good technical perspective as well.
[00:15:44] Greg Pruett: Thanks, John. It's an honor for you to think of me and include me here on your show. I really appreciate that.
You already mentioned I have a blog series on LinkedIn, and I wrote a rather thorough article on Sovereign Cloud. We also have other materials with a Sovereign Cloud point of view that are available on LinkedIn.
[00:16:06] John Kundtz: Cool. We'll put them in the show notes so that you can begin to learn a little bit more about it. My takeaway from this is that Cyber and clouds probably aren't just a nice to have. In many cases, they're critical in mastering regulatory compliance, controlling data security, and just fortifying against the evolving cyber-attacks that you mentioned.
We'll put some additional links. How to connect with Greg on LinkedIn, in the show notes,
Greg, I appreciate you being on our show, and thanks everybody for listening today. This is Sovereign Clouds Demystified, the blueprint for resilient, secure, and compliant digital businesses.
Thanks, Greg.
[00:16:49] Greg Pruett: Thanks, John. Thanks, everyone.