Oracle sovereign cloud solutions: Choose where your data is located

This blog is part 1 of our multipart series on data sovereignty in the cloud.

Digital technology trends show that organizations and governments around the world are harnessing the agility and cost savings of cloud technology and adopting a cloud-first strategy for their IT workloads. As cloud maturity continues to accelerate, so has legislation and the policies governing cloud technology, leading to increased emphasis on data sovereignty, and for a good reason. The cloud hasn’t just changed how we use technology. It’s changing how we think about it.

In the past decade, the European Union (EU) has led the way in passing data privacy legislation, namely the General Data Protection Regulation (GDPR), which lays out comprehensive requirements for organizations that collect and process the personal information of individuals in the EU. The combination of rapid cloud adoption and legislation like GDPR has been a catalyst for policy groups and governments worldwide when it comes to safeguarding their citizens’ most valuable resource: Data.

Data sovereignty is a complex topic, and the definition and applicability can vary by region, but a central theme of data sovereignty is empowering organizations and individuals to retain more control over their data. Often discussed as a singular item, we believe data sovereignty is achieved in multiple ways. The following examples contribute to a strong data sovereignty strategy:

• Choice of location: The physical location where the data is stored.
• Cloud isolation: Physical, logical, and network separation to limit sharing of data.
• Access management: Control over access to your data and the underlying infrastructure, both by limiting access and ensuring data availability and portability for those you authorize.
• Operations personnel requirements: Restriction of operations and support to personnel meeting specific security clearance, citizenship, or residency requirements.
• Transparency in data access decisions: Handling and reporting on extraterritorial law enforcement requests for data access, including interactions with local authorities.
• Enhanced hardware and software security: Use of capabilities, such as a hardware security module (HSM), encryption, and confidential computing.

In this blog series, we examine these and other critical aspects of data sovereignty in the cloud. Let’s start by looking at the choice of location, its implications, and the available options.

Data location and its impact on data sovereignty

Having the ability to choose the geographic regions where your organization stores its data is an important way to retain control over your data. Consider the following key factors in determining the appropriate cloud deployment model for your organization’s objectives:

• Data classification: Determine the type of data you plan to store in the cloud based on your business standards and any applicable regulations.
• Data storage: Determine if your data is subject to any geographic restrictions. Under some data protection regulations, sensitive data might need to be stored within the geographic boundaries of a country or region.
• Data availability: Maintain uninterrupted access to data and services that can be vital to business operations, government functions, or public infrastructure security.

The choice of location for your data can help you meet your data storage and data availability needs in line with data processing and data transfer requirements under applicable data protection laws.

Oracle Cloud offers many sovereignty solutions

Oracle Cloud Infrastructure (OCI) offers several deployment models as part of its Oracle sovereign cloud solutions that can help customers with their data sovereignty strategy.

Each of these deployment options allows Oracle customers to maintain control of their data, including the location of the region where it’s stored and processed and how it’s accessed. Customers typically act as the controller of their data, and Oracle doesn’t move customer data out of the region where it resides without customers’ authorization.

We can segment deployment models into public cloud offerings, operating out of Oracle’s cloud regions, and dedicated cloud offerings, which are deployed in a customer’s data center.

Let’s start with Oracle's public cloud offerings and see how they compare.

• Commercial public cloud: Offers 41 cloud regions in 22 countries around the globe, with more to come. In 10 countries and across the EU, OCI has two or more cloud regions that enable availability in the event of a disaster without data leaving the borders of these territories. Many organizations operating in these locations can run cloud workloads in-country to meet their data residency and availability requirements.
• European Union Sovereign Cloud: Launching in 2023 with data centers in Spain and Germany, Oracle’s new EU Sovereign Cloud regions is logically and physically separate from the existing Oracle commercial cloud regions in the EU. Both private companies and public sector organizations can use these new EU Sovereign Cloud regions to host data and applications that are sensitive, regulated, or of strategic regional importance.

Now, let’s look at Oracle’s dedicated cloud solutions where customers can host complete cloud regions on-premises in a data center of their choice. These options can help customers in geographies where Oracle doesn’t yet offer a public cloud region or if the organization has unique data sovereignty requirements that require a dedicated solution.

• Dedicated region: Designed for customers looking for a complete OCI region in their own data center with the agility, scalability, and economics of OCI public cloud.
• Isolated region: Designed for customers who need a proven cloud platform for their classified, top secret, mission-critical workloads.
• Alloy: Enables partners looking to become cloud service providers with a full range of cloud services to expand their business.

Getting started with Oracle sovereign cloud solutions

We aim to meet organizations where they’re at, both literally and figuratively. For many customers, Oracle’s commercial public cloud regions are more than sufficient to meet their data sovereignty needs, including the need to choose where data is located. However, for highly regulated industries or organizations subject to certain country-specific legislation, the enhanced data sovereignty options from Oracle EU Sovereign Cloud or one of the dedicated cloud solutions can accelerate your cloud-first strategy.

Stay tuned for the next blog in this series, where we take a closer look at Oracle Cloud Infrastructure’s use of realms—a collection of cloud regions—and how they provide enhanced logical, physical, and network isolation.

In the meantime, if you have any questions about Oracle sovereign cloud solutions, contact one of our representatives.