Today, you hear phrases like “I use the cloud” or “we’re migrating to the cloud” more and more often. Recently, a new concept has gained traction: the sovereign cloud. While sovereignty is typically seen in contexts like national independence or political autonomy, what does it mean when paired with cloud? What is a sovereign cloud exactly, and why does it matter to your organization? In this blog article, Fundaments’ CTO Larik‑Jan Verschuren explores the meaning of sovereignty in relation to cloud computing.
Let’s start with the definition of sovereignty. According to Wikipedia, sovereignty is the right of a governing body to exercise supreme authority without having to give account to any other body. In modern states that is laid out in the constitution: the basic agreements about how the state operates. In an international context, it means that countries respect each other’s borders and that each country decides what happens within those borders. Simply put: other nations may not interfere in internal affairs.
The word interfere is interesting here—because this is relevant when we talk about cloud.
You could say a lot about what cloud is, the different forms it takes, and why it has become such a popular concept—this is also discussed in another blog article. For now, we limit ourselves to the meaning of cloud in the context of the sovereign cloud: a place where data is stored and processed. If we combine that with sovereignty, it means data lands in a place where control over that data is clearly defined.
And that data plays a role in almost everything we do every day—from apps on your phone and forms on websites to video conferences within your organization. All of those applications generate data, and that data ultimately ends up in the cloud.
The promise of the sovereign cloud
More and more vendors claim to offer a sovereign cloud: an environment where your data is stored and processed without interference from third parties. But is that actually the case? Is there a certification, a standard, or a testable method to confirm that your data is truly protected from outside interference? To determine that accurately, it's important to understand how data enters a cloud. Where does it arrive? Which layers does it pass through? And who can access it?
The path of data within the cloud
When you look at how data moves through the cloud, it's clear that it does not simply “land” somewhere. Data travels through several layers and components before it is ultimately stored and processed. This data path can be clearly visualized using a layered model similar to the well-known OSI model used for data communication standards. In the context of a sovereign cloud, such a layered model offers a useful framework. For each layer, you can assess whether interference is present—i.e.: who has control, access, or influence over that specific layer?
Below is a visual representation of the data path—from the user to the application running in the cloud—with the different parts of the cloud environment named, enabling you to see at each step where data is processed and who may have access.
Figure 1. Visual representation of the data path
The figure above shows ten layers in the cloud where data is processed. Each layer is explained below:
Layer 1 – Transport The path data travels in the cloud begins with the user. Data is generated and sent via a device such as a laptop or smartphone. IoT devices—like smart cars, security systems, or home automation solutions—can also independently send data. From these sources, data is transported toward the cloud. In most cases this happens via the public internet. But in sectors where security and reliability are essential, such as defense, closed networks or private infrastructure are often used. Simpler alternatives also exist: many industrial sites are connected with fiber optic cable. That fiber link can connect a local facility directly to a datacenter, enabling data transport without the internet—significantly increasing security.
Layer 2 – Data transport – cloud edge Once transported, data arrives at the cloud edge—the connection point to a specific cloud. When connecting via the internet, this often goes through the cloud provider’s edge router using protocols like BGP. In private, dedicated setups, it may be through a “meet-me room” in a datacenter, where a physical line connects to the provider’s edge routers.
Layer 3 – Data locality in datacenter From the cloud edge, data is distributed within the provider’s infrastructure. That infrastructure spans multiple availability zones and datacenter locations. This can be regional, but also international—especially with large hyperscalers, resulting in widely dispersed data locality.
Layer 4 – Application The application that presents and processes the data acts as the functional processor of transported data. Driven by users or procedures, the application enables data exchange.
Layer 5 – Middleware An application needs various components—such as a database, languages like PHP, or modules like a web server or load balancer. These components support the application and determine how data is processed.
Layer 6 – Operating system or container To run the application and middleware, an operating system is required. The OS uses physical processing power (RAM and CPU) and storage (hard disk) to execute middleware and application operations. When functionality is further specified, it may be combined into a container, which is orchestrated and tied back to physical resources and storage.
Layer 7 – Virtualization | Containerization | Bare metal The OS or container may be virtualized. Virtualization divides physical compute and storage into virtual resources, allowing multiple OS or containers to run on shared hardware. In a bare-metal setup, the infrastructure connects directly to a single operating system without virtualization.
Layer 8 – Hardware: Network Network infrastructure—including routers, firewalls, and switches—connects and transports data from the cloud edge to the infrastructure layers. This equipment moves and routes the data.
Layer 9 – Hardware: Compute Compute hardware forms the actual processing power of the cloud. People often say that the cloud is simply someone else’s computer—and in essence it is. Without the server with compute resources, no application, operating system, or data processing can run.
Layer 10 – Hardware: Storage Storage hardware records the data that is not ephemeral (which is processed in compute through application layers). Storage systems are the most tangible form of cloud data storage. When you know which device stores your cloud data, you can “touch” your data—and know exactly where in the cloud your data resides.
This model shows the path data follows—but does it reveal precisely the level of interference and thus the degree of sovereignty? Not entirely, because technology is only part of the solution delivered to the end user as cloud service.
The operation behind the technology
Behind every technical cloud layer lies an operational reality: the technology is managed by companies, and these companies consist of people. Operations follow internal guidelines—but always within applicable laws and regulations, which are geographically defined. A Dutch company operating in the Netherlands falls under Dutch and European law. If that same company operates on another continent, the legal framework changes, and different rules may apply—especially if ownership involves non‑European parent corporations. This introduces legal complexity and makes it essential to understand, for the sovereign cloud context, who manages the cloud, where it is managed, and under which jurisdiction.
Looking back at Figure 1, multiple parties may be involved at each layer. An ISP (internet provider) rarely also manages applications; the provider of layer 1 is often different from those managing layers 2–10.
Cloud service providers usually control layers 2, 3, and 6 through 10.
Managed service providers use one or more cloud providers and manage layers 4 through 6.
At Fundaments, for specific solutions, we facilitate a large portion of layers 2 through 10—making interference levels transparent in the sovereignty discussion.
Conclusion: sovereignty begins with insight
Sovereign cloud is a broad concept and can be defined in many ways. For the end user, it is essential to understand where data goes, who processes it, and under which conditions. In short: what is the level of interference? You gain that insight by examining the cloud’s technical layers and determining:
Where is the infrastructure located?
Which party is responsible for its operation?
Under which jurisdiction does that party fall?
This combination of technology, operations, and location determines how the service is delivered and which security controls apply—based on the local laws governing infrastructure and operations. Once interference levels are clear, you can assess the sovereignty of a cloud service.
With data from a user organization, you can evaluate risks to availability, confidentiality, and integrity within a cloud service. That’s why it’s important to classify data properly within the organization. If this feels complex, start with the application. By linking the application to the cloud service hosting it, you can then assess the sovereignty level of the application and its data.
At Fundaments, we can support you with data classification and building a data-driven cloud strategy. Any form of cloud can be used—and in the case of private cloud, we can often provide a significant part of the solution. Want to learn more? Please get in touch!
