A look back at AWS Summit Paris 2024, the event that brings together the cloud computing community to showcase the latest innovations from AWS. David NEYRON, DevOps/Cloud Engineer, and Lionel GAIROARD, DevSecOps Practice Leader, were there to gather the latest information on cloud sovereignty, AI, and data. They share their feedback and inspiration from this day dedicated to expertise. Let's start with David, who asks us about the digital sovereignty of the cloud and the trust we can place in providers.
Digital sovereignty in the cloud
" In any case, Americans can see everything that happens in the cloud. They have access to it under the Patriot Act, so I'm telling you, we won't be able to put our data there anytime soon," Jean-Michel exclaimed this morning at the coffee machine.
Upon further investigation, it becomes apparent that Jean-Michel is not the only one concerned about what is referred to as the digital sovereignty of the cloud.
So, is this concern justified? If so, are there solutions available to keep our data private? The answer lies in elements of theAWS Summit 2024.
The topic of cloud digital sovereignty is not new. But first, what do we mean by that? To put it simply, it can be broken down into two parts:
Data sovereignty
When working in the cloud, we store and use data, some of which may be sensitive, on infrastructure that does not belong to us. We are therefore entitled to have doubts about the location of our data, how it is used, and how it is encrypted.
If they are, are they in transit? Or "at rest"? Do cloud employees have access to our data?
Operational sovereignty.
As mentioned above, the infrastructure we use does not belong to us. This raises questions about its resilience, independence, and the jurisdiction that applies depending on the location of the equipment, etc.
These two notions are encompassed by the general concept of cloud digital sovereignty. And the questions it raises are all the more important when it comes to sensitive personal data such as health or banking data, for example. With the cloud being used more and more by businesses, it is becoming crucial for customers to consider the digital sovereignty of these public clouds.
SecNumCloud
To address these issues, certain countries, including France, have legislated to regulate cloud usage by creating, among other things, a SecNumCloud label . This label is a set of requirements that must be met in order to be selected by public or private entities wishing to outsource the processing and storage of their sensitive data.
Among the various technical requirements, such as data localization within the European Union, some aim to establish protection against non-European law by requiring that " the provider's registered office, central administration, and principal place of business must be located within a Member State of the European Union."
Oh dear... So Jean-Michel was right? If we protect ourselves with laws like these, does that mean that the major players in the American cloud can really see everything and our data in the cloud will never be secure? Actually, it's a little more complicated than that.
What is very concrete, however, is the market that the European Union represents for these American cloud players: nearly $58 billion in 2024. So, faced with such prospects for profit, it is not really in the interest of the American cloud giants to provide our data to their government, but rather to appease the demands of states and their customers, as well as Jean-Michel, in order to reassure them. In concrete terms, this represents a lot of technical innovations, some of which were presented at the AWS Summit 2024:
- Enhanced security for virtualization.
On a traditional virtualization infrastructure, the various hypervisor components required for virtualization are often located on the same physical hardware, thus sharing a common attack surface. AWS has chosen to separate its components onto dedicated physical media, thereby reducing the risk of compromising the entire hypervisor, which is no longer a single instance but a multitude of dedicated physical cards isolated from one another. This is the AWS Nitro system.
- A high level of infrastructure monitoring and control.
With the ControlTower service and its connectivity to other services such as CloudTrail and CloudFormation, AWS offers to prevent, detect, and, if necessary, remove the use of resources that may pose a security risk.
- XKS by KMS.
KMS, AWS's encryption key management service, now offers XKS, an external encryption hardware control service. This involves transferring responsibility for storing encryption keys to another provider who can more easily meet the applicable legal requirements. AWS then acts solely as an intermediary, eliminating the possibility of AWS reading the encrypted data since it no longer holds the keys.
However, be careful with shared responsibility models if you decide to take full responsibility for encryption. With this level of outsourcing, AWS cannot be held liable in the event of problems.
AWS Dedicated Local Zones
This infrastructure is managed by AWS and reserved for the exclusive use of the customer. It can be located to meet regulatory requirements and managed by local AWS personnel, again to comply with legal constraints.
AWS infrastructure tailored to specific regulations
Like the AWS regions announced in Germany for 2025, these regions are not dedicated local regions like the ones we described earlier, but they still meet very specific criteria to satisfy the requirements of certain laws. The resilience and security guarantees are the same as for traditional AWS regions, but they are located where regulations require. They will have their own IAM instances, their own account system, their own consumption tracking, etc.
The question of trust
In summary, these areas have certain characteristics that enable them to meet special safety requirements.
It is thanks to all these technical innovations that big names in the cloud such as AWS are trying to reassure their customers in order to regain as much market share as possible and thus increase their profits.
However, even though Jean-Michel feels somewhat reassured on the subject because he understands that it is not in the interest of cloud providers to open up access to his data, the fact remains that despite all the measures put in place by these cloud players, legal bodies, and customer security policies, sensitive data is entrusted to third parties, on whom trust is ultimately placed.
We will therefore leave this last parameter to the discretion of each individual.
David NEYRON
DevOps/Cloud Engineer
