For example, when building a server on a public cloud service such as AWS, it is possible to control the data to a certain extent by selecting the region, but in the case of SaaS type services, it is possible to control the data in which country the service provider’s platform is located and how You need to consider whether you will be affected by relevant laws.
However, there is always the possibility of incurring risks due to laws that did not exist at the time of introduction or changes in social conditions.
In response to such uncertain factors from outside the economic realm, there is a concept of economic security that promotes economic measures in an integrated manner between the public and private sectors.
Although the details will be discussed later, the recently concluded G7 Hiroshima Summit also issued the “Summit Statement on Economic Resilience and Economic Security” aimed at securing and promoting national economic interests, and the participating countries I can see that they are considering security as a priority.
A summary of the statements is as follows, and they all state that the G7 countries will work together to deal with factors that have a negative impact on economic activity.
- Strengthening global economic resilience (building international supply chains and infrastructure, etc.)
- Responding to factors that undermine international rules and norms (economic coercion, harmful acts in the digital domain)
- Addressing common concerns regarding threats (prevention of leakage of important and advanced technologies)
economic security
Economic security is a policy to ensure the economic stability and development of a nation or region, and its purpose is to ensure economic stability, development, and national interests. The scope includes “stable supply of goods and resources” and “promotion of development and preservation of cutting-edge technological information”.
In Japan, the scope of security has expanded to the economic field due to changes in the international situation and social structure, so the Economic Security Promotion Act was enacted on May 11, 2020 as a bill to promote economic security. has been established and promulgated.
The Economic Security Promotion Act is broadly classified into four systems.
- Ensuring stable supply of important supplies
- Ensuring stable provision of core infrastructure services
- Support for the development of cutting-edge important technologies
- Nondisclosure of patent applications
Regarding “1.” and “2.”, systems related to the stable supply of supplies and infrastructure necessary for economic activities are stipulated.
“3.” is aimed at promoting and preserving research and development of specific technologies (in areas such as space, oceans, quantum, and AI), and provides information and financial support to institutions with a certain level of ability. It also stipulates that confidentiality is required.
“4.” is a system related to patent applications, which aims to “prevent the disclosure of sensitive technology and information leaks” caused by patent publication, and “to provide patent rights to inventors who were unable to file patent applications due to security concerns.” The purpose is to open the way for receiving
[Reference â‘¡: Outline of the Economic Security Promotion Act]
Data sovereignty on the cloud
Changes in the social environment are thought to be a factor behind the increased emphasis on economic security. There are particular concerns about public clouds, with the possibility of service suspension due to international circumstances and the risk of stored data being seized due to laws and regulations, making ensuring data safety an urgent issue.
[Reference â‘£: Cases and related laws and regulations affecting public clouds]
Related matters | influence |
---|---|
GDPR | ・Regulations on data transfer outside the EU territory ・IT measures for personal data stored in the EU territory |
CLOUD Act | It is now possible to legally request the viewing and seizure of data from companies headquartered in the United States, even if the data is stored outside the United States. |
Suspension of cloud service usage | Suspension of cloud service (Microsoft 365) (Stockholm) |
unrest in ukraine | Cloud vendors (AWS/SAP) stop providing services in the Russian region |
Exchange rate fluctuation risk | Increase in foreign cloud service usage fees paid in US dollars |
[Reference 5: Efforts to ensure data safety and cloud technology in each country]
The “CLOUD Act” mentioned in Reference â‘£ is a law enacted in the United States in March 2018 that is “aimed at responding to international crimes and terrorist activities,” and it is a law that uses the services of American companies. In this case, data disclosure requests can now be made even for data stored in the Japan region.
This only stipulates that disclosure requests can be made, and does not mean that data access is freely permitted. In addition, US cloud vendors including AWS have stated their views and policies regarding the CLOUD Act, but basically there is no risk of any disadvantage to users.
However, in a situation where it is unclear what kind of laws will be enacted in the future, in order to protect important data on the cloud, the concept of “data sovereignty” in which the user organization has the right to control and manage the data is necessary. is important.
The service concept of sovereign cloud is attracting attention as a cloud that can control data sovereignty.
sovereign cloud
Although there is no clear definition of Sovereign Cloud, “security”, “compliance”, and “data sovereignty” regarding the data stored and assets built on the cloud are subject to the laws and regulations of each country. This is a service that guarantees compliance.
When using this service, data stored in the cloud will be protected within the jurisdiction of the country. Since it is a service provided in a single region, it will not be provided to other countries without permission, and data location will be preserved.
In other words, it is a service in which the user organization has data sovereignty, and it can be said that it is a service whose main purpose is to protect stored data, technical information, etc. This assurance also includes periodic audit requirements to keep pace with changing security requirements.
As specific sovereign cloud services, major public cloud vendors have started providing services under the following service names.
[Reference 7: Sovereign cloud services of major cloud vendors (example)]
cloud vendor | Service name |
---|---|
AWS | AWS GovCloud |
Azure | Azure Government |
GCP | Google Cloud Government Cloud |
As indicated by Gov, both services are for government agencies and specific regions, and are not services for general companies.
In addition, as a cloud used by government agencies in Japan, there is a public cloud platform “Government Cloud” promoted by the Digital Agency for joint use by government ministries and local governments. This cloud platform will migrate and consolidate business systems that have been developed individually by national and local governments onto the public cloud, allowing local governments across the country to use common services and reducing the cost of individual development. The following effects are expected.
The government has selected AWS, Azure, and Google Cloud as services eligible for government cloud, and we expect that services for general companies will be developed from the government cloud platform.
lastly
Considering economic security, the need for sovereign cloud services is expected to increase further in the future. However, while data sovereignty is ensured, since it uses a special region (sovereign region), there are service limitations such as the inability to use region pairs that span multiple countries, which is a disadvantage from a BCP perspective. There are also cases.
In the future, depending on the importance of the information handled, it is likely that new forms of use will increase, such as the use of hybrid clouds that combine public clouds and sovereign clouds.
Thank you for reading to the end.