Category: hybrid cloud

Posted on by

Public cloud: Data sovereignty and data security in the UK

The UK government’s decision to designate datacentres as critical national infrastructure (CNI) in September 2024 signalled its ambition to build a digital economy that is secure and globally competitive.

But behind the headlines about protecting against cyber crime and IT blackouts lies a more complicated reality – a sector grappling with policy uncertainty, reliance on foreign cloud giants and a data sovereignty agenda that looks increasingly compromised.

In a blog post, Forrester principal analyst Tracy Woo wrote: “New sovereignty requirements such as SecNumCloud, Cloud de Confiance from France, and the Cloud Computing Compliance Controls Catalog (C5) from Germany, along with the push to keep data in-country, have created a broader push for private and sovereign clouds.”

But the promise of “protected infrastructure” rings hollow when hyperscalers openly admit they cannot guarantee that UK government data stored in cloud services such as Microsoft 365 and Azure will remain within national borders.

Woo points out that countries in the European Union (EU) and Asia-Pacific (APAC) have been attempting to more heavily leverage non-US-based cloud providers, create sovereign clouds, or leave workloads on-premise.

In the UK, regulatory scrutiny is exposing the fragile state of the UK’s digital independence. Looking at the UK’s approach to data sovereignty, law firm Kennedys Law describes the Data Use and Access (DUA) Bill, which was published in October 2024, as “a more flexible risk-based approach for international data transfers”.

Kennedys notes that the new test requires that the data protection standards in the destination jurisdiction must not be materially lower than those in the UK. According to Kennedys, this standard is less rigid than the EU’s “essential equivalence” requirement but raises questions about how “materially lower” will be interpreted in practice.

Understandably, with the government’s reliance on cloud-based productivity tools, concerns about compliance with UK data protection laws have intensified.

The Competition and Markets Authority (CMA) is now investigating cloud market practices that could lock customers into foreign providers. A provisional report is expected in early 2025, setting the stage for potential regulatory reforms aimed at boosting data sovereignty and curbing monopolistic practices.

Reshaping data sovereignty

This is not before time for Mark Boost, CEO of Civo, a UK-based cloud hosting specialist. “The inability to ensure data remains within UK borders underscores the risks of depending on hyperscalers,” warns Boost. “If we keep outsourcing critical data infrastructure, we risk losing more than just technical control, we lose national independence.”

The CMA’s review could reshape the country’s digital future, potentially mandating greater transparency and requiring UK data storage guarantees from global cloud providers. This is something Boost has been talking about for some time.

“Transparency isn’t just about where data is stored, it’s about how datacentres are powered, maintained and secured,” he says. His argument highlights the essential connection between data sovereignty and operational clarity, urging providers to adopt clearer accountability measures.

The inability to ensure data remains within UK borders underscores the risks of depending on hyperscalers. If we keep outsourcing critical data infrastructure, we risk losing more than just technical control, we lose national independence Mark Boost, Civo

Despite these challenges around transparency, the UK datacentre industry has seen promising signs, particularly in regional investment. The government’s recent announcement of a £250m datacentre project in Salford showcases how local government cooperation and targeted investment can drive growth. But such projects remain exceptions rather than the rule.

Luisa Cardani, head of datacentres at TechUK and author of the report Foundations for the future: How datacentres can supercharge UK economic growth, warns that without a national policy statement (NPS), the datacentre sector risks becoming fragmented. Local planning authorities lack the expertise and resources to approve projects efficiently, creating bottlenecks that could delay critical infrastructure developments for years.

“The industry wants to work with local people and authorities, but clear national planning guidance is missing,” says Cardani. “Without a coherent strategy, we’re stuck in a cycle of fragmented decisions and regulatory inertia.”

The proposed inclusion of datacentres under the nationally significant infrastructure projects (NSIP) regime could streamline the approval process, ensuring faster decision-making. However, this remains, for the moment at least, more of an aspiration. In reality, investment will remain stalled until the UK develops a coherent, national approach that balances public and private interests while streamlining the project approval process.

Data sovereignty and security requirements are fundamental to this, and to a large extent it will be market forces that determine the shape and size of the UK’s datacentre industry. On this front, Alvin Nguyen, senior analyst at Forrester, says businesses must recognise the different risk profiles posed by local and hyperscaler-operated datacentres.

“It should be expected that hyperscalers will have more bandwidth, more scalability and more redundancy than their more localised counterparts, but having datacentres classified as critical to the UK’s infrastructure may help with mitigating some, but not all, security risks,” he says.

Complexity of keeping data within national borders

Nguyen also questions whether data sovereignty debates might be over-simplified in some cases.

“With data security, it comes down to what the organisation’s requirements are to determine whether or not to go to a hyperscaler or a local datacentre,” he says. “With sovereignty, that is a bit different. If there are components to the sovereignty laws to restrict access or use of data outside of the local datacentres, hyperscalers will need to ensure that guardrails are in place.”

Nguyen’s comments underscore the complexity of managing sensitive data across hybrid environments. Rather than focusing solely on whether to choose a local or global provider, businesses should consider managing workloads across hybrid cloud environments more strategically.

“Many organisations will find a mix of cloud and datacentres makes the most sense … the risk profile of each is different and that blend of risk when combining cloud and datacentres can be made to be optimised for them,” he says.

The security risks associated with data sovereignty are multifaceted, extending far beyond simple data storage concerns. For businesses in regulated sectors, particularly financial services, the stakes are immense.

When on-premise is the only option

Jon Cosson, head of IT and chief information security officer at wealth management firm JM Finn, underscores the potential dangers when businesses assume that using a large cloud provider automatically guarantees security.

“It’s absolutely imperative you know where your data is and how to secure it,” he warns. “You would not believe how many businesses still just rely on somebody else.”

The issue is compounded by the jurisdictional complexity of global cloud services. When sensitive data crosses borders, it may fall under multiple regulatory regimes, raising questions about legal access and government overreach. This concern has been amplified by legislation such as the US Cloud Act.

In 2019, the then home secretary, Priti Patel, signed a US Cloud Act Agreement covering the UK and Northern Ireland, in which the US and UK governments agreed to provide timely access to electronic data for authorised law enforcement purposes. The Cloud Act could compel US-based hyperscalers to provide foreign-stored data to US authorities, bypassing local laws.

“I want to know exactly where my data goes, how it’s encrypted and how quickly I can get out if needed,” says Cosson, reflecting a broader industry concern that opaque data paths and limited contractual assurances can expose businesses to significant compliance risks.

“We use the cloud when we have to, but still run key systems on-premise for control,” adds Cosson. This approach is typical of companies handling sensitive financial data. There is a lack of trust with organisations not prepared to take promises of “secure cloud storage” at face value.

While Cosson acknowledges that cloud adoption is inevitable for some services, such as Microsoft 365, he underscores the enduring role of on-premise infrastructure for businesses that require absolute control over sensitive data. This, of course, raises an additional problem of how to manage hybrid data environments securely and efficiently.

According to Cosson, companies like Nutanix play a critical role here, enabling organisations to manage workloads across cloud and on-premise environments while maintaining data control. Nutanix’s infrastructure services are designed to address sovereignty concerns, he says, by ensuring businesses have clear data management policies and remain compliant with local regulations.

We need coordinated efforts between government, industry and local authorities to build a resilient datacentre ecosystem. This means shared responsibility, clearer policy frameworks, and incentives for both hyperscalers and UK-based providers Luisa Cardani, TechUK

“The next five years will be decisive,” says Civo’s Boost. “If transparency becomes a legal requirement, we’ll see businesses demanding more from providers, not just about where data resides, but also how infrastructure is managed and powered.”

TechUK’s Cardani believes public-private partnerships will play a crucial role here. “We need coordinated efforts between government, industry and local authorities to build a resilient datacentre ecosystem,” she says. “This means shared responsibility, clearer policy frameworks, and incentives for both hyperscalers and UK-based providers.”

Boost and Cardani each agree that the balance of power between hyperscalers and local operators may shift, particularly if future policies mandate data localisation or prohibit cross-border data transfers without explicit guarantees. Sovereignty-by-design, where infrastructure is built to meet local compliance from the start, could become the new standard.

Adhering to current standards

Until that point, organisations need to work out how they can meet existing standards. Cardani argues that adherence to standards must be supported by national policies that enable transparent reporting and clear accountability structures.

In practice, this means enforcing mandatory audits, data residency certifications and security benchmarks tailored to UK-specific legal frameworks. Without these measures, businesses risk falling into compliance gaps that could expose them to data breaches, fines and legal disputes.

Frameworks such as ISO 27001 for information security management, General Data Protection Regulation (GDPR) for data privacy and Payment Card Industry Data Security Standard (PCI DSS) for payment security set clear operational expectations. Yet these standards are only part of the equation, as evolving regulations increasingly emphasise data sovereignty and security-by-design.

Ensuring that datacentres comply with such frameworks while offering sovereignty guarantees has become a pressing challenge. Hyperscalers operating across multiple jurisdictions complicate audits and compliance checks due to varying legal obligations and data transfer rules.

The introduction of the CMA’s investigation is urgently needed, if only to provide some clarity around what, for most buyers, has become a confusing subject.

For IT leaders, the critical takeaway is that responsibility cannot be outsourced. Security, compliance and sovereignty must be actively managed through risk assessments, compliance audits and multi-supplier strategies.

And as the UK’s digital infrastructure evolves, only businesses that stay ahead of regulation and demand transparency from their providers will be able to navigate the uncertainties.

On that score, the UK’s datacentre industry stands at a crossroads – but with policy clarity, local investment and industry transparency, it has the potential to become a global digital leader in this space.

It’s about trust and everyone playing by the same, fair rules, but from a UK perspective it is also about protecting that most valuable national asset – data.

At JM Finn’s Cosson puts it: “Data sovereignty is not a buzzword, it’s survival.”

Source

Posted on by

Top 10 AI and storage stories of 2024

Artificial intelligence (AI) has hit the headlines and the datacentres, but with it comes a range of performance and operating considerations that impact storage as much as any other IT discipline.

In this review, we look at the key demands of AI processing on data storage, the type of storage AI requires, and the suitability of cloud storage for AI workloads.

We drill down into the data needs of AI and storage, such as the demands of high-dimension vector data and checkpointing during AI training, plus the compliance considerations that use of AI brings with it.

We also look at the responses of storage suppliers to the rapid rise of AI use cases in the datacentre, in terms of link-ups with leading players like Nvidia, as well as in their storage offer aimed at AI workloads. 

In this guide, we examine the data storage needs of artificial intelligence, the demands it places on data storage, the suitability of cloud and object storage for AI, and key AI storage products.

We look at the use of vector data in AI and how vector databases work, plus vector embedding, the challenges for storage of vector data and the key suppliers of vector database products.

We talk to Charlie Boyle of Nvidia about data challenges in artificial intelligence, key practical tips for AI projects, and demands on storage of training, inferencing, RAG and checkpointing.

Storage supplier announcements at Nvdia conference centre on infrastructure integration, tackling the GPU I/O bottleneck and AI hallucinations by running Nvidia NeMo and NIM microservices.

We spoke to Pure Storage CEO Charlie Giancarlo about why write speed is key for artificial intelligence workloads, accessible storage for AI data, and his prediction of the death of spinning disk.

We talk to NetApp’s Grant Caley about AI and data storage, the need for scale, performance and hybrid cloud, and to move, copy and clone data for wrangling for inference runs.

AI checkpointing operations targeted by Vast Data as it touts QLC-based storage for AI workloads.

Start looking at artificial intelligence compliance. That’s the advice of Mathieu Gorge of Vigitrust, who says AI governance is still immature, but firms should recognise the limits and still act.

AI consultancy Crater Labs spent vast amounts of time managing server-attached drives to ensure GPUs were saturated. A shift to all-flash Pure Storage slashed that to almost zero.

Originally driven by Intel’s now-defunct Optane storage class memory, Parallelstore offers massive parallel file storage targeted at artificial intelligence training use cases on Google Cloud.

Source

Posted on by

Schwarz Group partners with Google on EU sovereign cloud

Google has partnered with retail giant Schwarz Group to deliver what the pair claim is truly secure and sovereign cloud-based collaboration for German and European regulated industries.

Through the partnership, Schwarz Group’s StackIT, the cloud provider for the retailer, which operates as an independent company offering sovereign cloud capabilities, will provide client-side encryption of customers’ Google Workspace data.

StackIT said customers’ data will remain resident within the European Union (EU), with full redundancy offered by backups hosted solely in its European datacentres to meet customer demands around data protection, data residency and data resiliency.

“Germany and the EU have until now lacked enterprise-grade cloud collaboration solutions that fully address the sovereignty requirements of regulated industries, including ensuring all data is secured and backed up on local soil with absolutely no opportunity for access by foreign nations or platform providers,” said Rolf Schumann, co-CEO of Schwarz Digits, the IT and digital division of the Schwarz Group.

“Our partnership and new offering with Google Cloud will fill this gap with an entirely new business model.”

Client-side encryption means Google has no access to customers’ data. According to Schwarz and Google, this safeguards the sovereignty of not only Schwarz Group, but also all customers who value the independence of their operations, giving them full confidence that their data is always in their control.

“This new partnership will enable the companies of Schwarz Group to combine its leadership in digital transformation with Google Cloud’s strengths in productivity, collaboration and security, enabled by our cutting-edge AI,” said Sundar Pichai, CEO of Google and Alphabet. “Together, we are opening up a world of new, sovereign opportunities for European organisations to innovate and build on our joint solutions, accelerating a new era of innovation.”

Through the partnership, Google Cloud’s security will be integrated with those of XM Cyber, Schwarz Digits’ hybrid cloud security company. This integrated offering will then be distributed to customers via the Google Cloud Marketplace.

According to Google and Schwarz, this integrated security will help German and European organisations, particularly those in highly regulated industries, raise the bar on their enterprise and multi-cloud security. In addition, XM Cyber’s Continuous Exposure Management will be embedded into the sovereign Google Workspace office productivity suite offered to European enterprises.

“This partnership changes the game for regulated industry players in Europe by removing the sovereignty and security concerns that often hold back more ambitious adoption of the cloud for productivity and collaboration,” said Thomas Kurian, CEO of Google Cloud. “Our alliance with companies of Schwarz Group will enable entire industries in Europe to deliver digital innovation with security and compliance at its core.”

Schwarz Group is Europe’s largest retailer, and the fourth-largest in the world. The company plans to transition its global office workforce to Google Workspace. The partnership with Google, according to Schwarz Group, enables critical workplace data to be protected against third-party access including foreign government institutions, and also transferred to alternate service providers if needed.

“Switching to Google Workspace is an important step for us out of legacy and into innovative, efficient and future-proof cloud-based collaboration,” said Christian Müller, Co-CEO of Schwarz Digits. “Google Workspace is the most secure and reliable productivity platform in the industry today, and we expect our organisation-wide migration to have significant flow-on benefits to all areas of operations from simplifying IT management to rendering our point-of-sale workflows significantly more efficient.”

Source

Posted on by

Nationwide Building Society backs HPE GreenLake for hybrid cloud push

Nationwide Building Society is drawing on HPE’s private cloud capabilities to help deliver on the next phase of its multi-year hybrid cloud strategy.

The company, which has more than 17 million customers in the UK and employs 18,000 people, is in midst of a hybrid cloud-focused digital transformation project, geared towards improving the online experience for its customers.

As previously reported by Computer Weekly, this work, which began in 2018, has seen the firm use public cloud technologies, such as those offered by Amazon Web Services, and embrace the use of DevOps-style software development methodologies within its teams.

The project has also seen Nationwide adopt different cloud technologies based on what is best for that particular type of data or workload, which is why the company is now adding the HPE Greenlake private cloud setup to its supplier mix too.

“Nationwide’s hybrid cloud strategy is vital to our ability to compete and means we can continue to meet the needs and expectations of our customers – HPE GreenLake cloud is a core component of our hybrid cloud strategy,” said Paul Walsh, director of infrastructure and service delivery at Nationwide.

“With them, we’re building a cloud platform that will further improve our resilience and agility, enabling us to provide even better levels of service and deliver new capabilities to our developers faster than ever before.”

Specifically, Nationwide will use HPE GreenLake management services to automate and orchestrate its infrastructure management workloads and deliver infrastructure-as-code, the company said.

“This [will] enable [Nationwide] to focus on innovation, value-add activities and gain better control over application builds and security,” said the company, in a statement. “Faster release cycles will accelerate the time to market, providing consistent customer experiences across all digital platforms.”

The HPE GreenLake cloud setup will also provide Nationwide with an overview of its energy consumption and emissions, so that it can take proactive steps to reduce its environmental footprint, the company added.

Matt Harris, senior vice-president and managing director for the UK, Ireland, Middle East and Africa at HPE, said the complexities of the deployment highlight why taking a public cloud-only approach would not work for a company like Nationwide.

“Nationwide’s modernisation journey showcases the effectiveness of HPE GreenLake cloud, with the storied institution transitioning from complex, legacy technology to a modern, future-proofed hybrid cloud operating model where a one-size-fits-all public cloud could never be the only answer,” said Harris.

Nationwide is not the only financial services company tapping into HPE GreenLake to deliver on its hybrid cloud strategy, as Barclays Bank also set out plans in September 2024 to ramp up its use of the technology for that purpose.

Source