GCP – Cloud CISO Perspectives: How digital sovereignty builds better borders for the future
Welcome to the second Cloud CISO Perspectives for March 2025. Today, Archana Ramamoorthy, senior director of product management, Google Cloud, explains our approach to digital sovereignty and we believe strongly in meeting this vital customer need.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
–Phil Venables, VP, TI Security & CISO, Google Cloud
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x3e5c49ed5910>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
How digital sovereignty builds better borders for the future
By Archana Ramamoorthy, senior director of product management, Google Cloud
The future of data security, trust, and controls are hot topics for boards of directors, executives, CISOs, politicians, and regulators. While the challenges we face are important, they are not insurmountable, and Google Cloud has been developing technology and solutions from our earliest days to help customers address their security, compliance and privacy needs.
Archana Ramamoorthy, senior director, product management, Google Cloud
Our commitment to security, trust, and control intersect prominently in our approach to digital sovereignty, which can help organizations who require stronger controls over data and digital infrastructure. We have embarked on a mult-year journey to help address these concerns. Since 2020, we have been building a digital future on Europe’s terms, to help prepare our customers and partners for the time when trust and control take center stage.
European customers and policymakers have identified several key requirements to help achieve digital sovereignty. These include: Control over access to their data, including what type of personnel can access the data and from which region; inspectability of changes to cloud infrastructure and services that impact access to or the security of their data; and survivability of their highly sensitive workloads.
The specific aspects of digital sovereignty that matter to an organization can vary, and these needs can shift over time. It’s crucial for CISOs and board members to regularly assess their current strategies and collaborate with leaders across the organization.
We address these and other requirements in our pillars of sovereignty: data, operational, and software sovereignty.
Google Cloud’s approach: Three pillars of digital sovereignty.
An organization may have requirements in some or all these areas, and their needs may change and evolve over time. At Google Cloud, we believe that a provider’s solutions need to address the depth and breadth of sovereign requirements, allowing customers the flexibility and choice from a wide range of technical controls to meet their needs. These solutions must work with the applications and technologies that power organizations today.
Google Sovereign Cloud solutions help enable every organization to meet their data, operational, and software sovereignty needs so they can accelerate their digital transformation. Our customers can meet sovereignty requirements whether they choose to use Google’s public cloud services, Google Distributed Cloud, or Google Workspace. Customers can deploy workloads with local controls and assurances provided by trusted local partners, and foster an ecosystem of independent software vendors (ISVs) specializing in sovereign-ready solutions.
- Assured Workloads offers European customers the ability to deploy a sovereign data boundary and control where their data is stored and processed. Google Workspace customers can similarly use Local Data Storage to maintain their data in a country of their choice. In addition, Sovereign Controls, whether managed by Google or by a partner, give customers unprecedented visibility and control over data access, as well as the ability to deny access requests for any reason.
- Since 2021 Google Cloud has partnered with Thales to build a first-of-its-kind Trusted Cloud. This Trusted Cloud will be fully operated by S3NS, a standalone entity under French law, to meet the SecNumCloud standard and enable French and European customers to meet rigorous security and compliance goals. Next, we are actively working towards a Trusted Cloud offering in Germany to meet the needs of our German and European customers.
- Google Distributed Cloud (GDC) provides a fully air-gapped sovereign data and operational boundary that never requires connectivity to an external network. GDC is deployed and operated by the customer or a trusted partner, and offers a rich set of AI and database services. GDC is designed to maximise survivability and ensure business continuity in the face of external events.
Putting digital sovereignty into action
The specific aspects of digital sovereignty that matter to an organization can vary, and these needs can shift over time. It’s crucial for CISOs and board members to regularly assess their current strategies and collaborate with leaders across the organization. Focusing on collaboration can help ensure that digital sovereignty strategies remain relevant, effective, and aligned with the organization’s evolving goals.
Discuss the following three steps to implement a digital sovereignty strategy with your CISO, CIO, CTO, legal and regulatory affairs teams, and the business.
- Ground the strategy by clarifying why digital sovereignty matters to your organization, and consider such factors as:
- Legal and regulatory compliance: Avoid fines, sanctions, and legal challenges.
- Data protection and privacy: Safeguard sensitive company and customer data.
- Business continuity: Minimize disruptions due to external events.
- Reputation management: Demonstrate commitment to ethical data practices.
- Competitive advantage: Position your company as a trustworthy data steward.
- Analyze the operational impacts of implementing a digital sovereignty strategy based on the most important factors. These may include:
- Data storage: Assess where your data resides, and if it complies with applicable laws.
- Cloud service providers: Evaluate their compliance with sovereignty regulations and offerings to help operationalize sovereignty strategies.
- Data transfers: Ensure secure and compliant cross-border data flows.
- Contractual agreements: Incorporate clauses into contracts with partners and vendors outlining how access to data is controlled.
- Implement your organization’s digital sovereignty strategies with an eye towards the board’s strategic activities, including:
- Risk assessment: Identify and quantify sovereignty risks.
- Compliance strategy: Develop a roadmap for compliance with regulations with sovereignty requirements.
- Technology investments: Evaluate solutions that support data sovereignty, such as local data centers and encryption.
- Partnerships and alliances: Collaborate with experts to navigate complex regulatory environments with sovereign requirements.
- Communication: Keep stakeholders informed about your company’s data sovereignty efforts.
Customer trust and control starts with cybersecurity, and Google Cloud is secure by design and by default. Our sovereign offerings enable customers to use our AI infrastructure, while helping to maintain control over data residency, access, and operational aspects.
As we work with customers, we will continue to engage with governments to ensure that Google Sovereign Cloud continues to meet their needs and requirements. To learn more about our approach to digital sovereignty, and our range of unique, comprehensive sovereign and multicloud solutions, please check out the Google Sovereign Cloud website.
Sections of this article appeared in the fifth edition of our Perspectives on Security for the Board report. You can read the full report here.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x3e5c49ed5700>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- Get ready for a unique, immersive security experience at Next ‘25: Here’s why Google Cloud Next is shaping up to be a must-attend event for security experts and the security-curious alike. Read more.
- How we do security programs at global scale: Royal Hansen shares insights into Google’s internal security culture, and how Google uses Secure by Design to grow security at enterprise scale. Read more.
- Our 4-6-3 rule for strengthening security ties to business: The desire to quickly transform a business can push leaders to neglect security and resilience, but prioritizing security can unlock value. Here’s how. Read more.
- How creative thinking can help secure critical infrastructure: Creative thinking starts with an encouraging workplace. Here’s how to change OT workplace culture, and three use cases that show it in action. Read more.
- Secure backups with threat detection and remediation: To further support your security needs, we’re adding more integration between Backup and DR, Security Command Center, and Google Security Operations. Read more.
- Mastering secure AI on Google Cloud: A practical guide for enterprises: We want customers to be successful as they develop and deploy AI, and that means using risk mitigation and proactive security measures. Here’s how to get started. Read more.
- Google Cloud, Atlético de Madrid expand cybersecurity partnership: We’re proud to become Atlético de Madrid’s official cybersecurity partner, reinforcing our shared commitment to innovation and resilience in sports technology. Read more.
- What AI can learn from the cloud’s early days: Just like early cloud pioneers who neglected to build a solid foundation, many organizations are now rushing into AI without a secure blueprint. Here’s how AI can avoid cloud’s mistakes. Read more.
Please visit the Google Cloud blog for more security stories published this month.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Learn something new’), (‘body’, <wagtail.rich_text.RichText object at 0x3e5c49ed5730>), (‘btn_text’, ‘Watch now’), (‘href’, ‘https://www.youtube.com/watch?v=tougo8159t8&list=PLjiTz6DAEpuI9xcEAShwMSn2FFWueE_c-&index=2’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Threat Intelligence news
- Session stealing in seconds with browser-in-the-middle attack techniques: BitM attacks offer a streamlined approach for attackers to quickly compromise sessions across web applications. With sophisticated social engineering tactics now able to effectively bypass multi-factor authentication, organizations must implement robust defenses, including hardware-based MFA, client certificates, and FIDO2. Read more.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Podcasts from Google Cloud
- Ephemeral clouds, lasting security: What’s important for cloud security investigations? Is there really a difference between Cloud Detection and Response (CDR) and Cloud Investigation and Response Automation (CIRA)? James Campbell and Chris Doman of Cado join hosts Anton Chuvakin and Tim Peacock to discuss the future of cloud investigations. Listen here.
- Threat modeling at Google, from basics to AI-powered magic: Meador Inge, Google Cloud security engineer, pulls back the curtain with Anton and Tim on how Google does threat modeling. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in February with more security-related updates from Google Cloud.
Read More for the details.