Back to all videos

Looking at Sovereignty Requirements with Azure

By John Savill's Technical Training

Cloud ComputingData SovereigntyHybrid CloudAzure Services
Share:

Azure Sovereignty and Beyond: A Detailed Summary

Key Concepts:

  • Sovereignty Layers: Legal/Jurisdictional, Regulatory/Compliance, Operational/Administrative, Identity/Access, Control Plane, Data/Compute Location.
  • Cloud Act: US federal law allowing US law enforcement access to data held by US companies, even if stored abroad.
  • Azure Public Cloud: The standard, globally available Azure services.
  • National Partner Clouds: Azure environments operated in partnership with local providers (e.g., France, Germany).
  • Azure Local: A suite of solutions bringing Azure capabilities to customer-controlled infrastructure, encompassing connected and disconnected options.
  • Azure Arc: Extends Azure management and services to on-premises and edge environments.
  • Entra ID (formerly Azure AD): Microsoft’s cloud-based identity and access management service.
  • Data Residency: The geographic location where data is stored.
  • European Data Guardian: Microsoft’s commitment to ensuring European customer data remains within EU boundaries.

I. Understanding Sovereignty Considerations

The video outlines a layered approach to understanding Azure sovereignty, crucial for organizations navigating diverse global and industry-specific requirements. These layers encompass legal, regulatory, operational, identity, control plane, and data/compute aspects. A core challenge stems from Microsoft being a US-owned company, triggering considerations around the Cloud Act – a US federal law permitting US law enforcement access to data held by US technology companies regardless of its physical location. However, the video emphasizes this access is not unfettered; it requires specific warrants, follows judicial processes, allows for provider challenges, and is subject to international cooperation frameworks. Microsoft actively fights to protect customer rights, as evidenced by legal challenges, including those reaching the Supreme Court, and implements additional controls, particularly for European customers, including contractual clauses, a dedicated board, and a Digital Resilience Commitment.

II. Azure Cloud Environments: A Spectrum of Options

Beyond the standard Azure Public Cloud, Microsoft offers several specialized environments:

  • China Cloud (21VNET): A completely separate infrastructure operated by a local partner.
  • US Government Cloud: Designed for US government agencies with stringent security requirements.
  • National Partner Clouds (France, Germany): Operated in partnership with local providers (Blue in France, Delos in Germany) offering enhanced control and compliance.
  • EU Boundary Commitment: Microsoft commits to keeping M365, Dynamics 365, Power Platform, and Azure operations within the EU for specific customers, leveraging features like the European Data Guardian, which restricts remote access to systems to Microsoft personnel residing in Europe, contingent on customer consent via Customer Lockbox.

III. Identity Management and Geographic Control

A fundamental aspect of Azure sovereignty is control over identity and data location. When creating an Entra ID tenant, a country is selected, aligning it with one of four geographic locations (US, Europe, Asia-Pacific, Australia) governing data storage and token processing. This ensures customer data and identities remain within the chosen region. While Entra ID utilizes a global gateway for authentication, the underlying objects are replicated and processed within the selected geographic location. Specific country mappings are provided (e.g., Canada & Costa Rica map to US, Egypt to Europe, Australia to Australia, Saudi Arabia to Europe, Singapore to Asia-Pacific).

IV. Azure Resource Management and Regional Boundaries

Azure services are accessed through the Azure Resource Manager (control plane), allowing users to create, manage, and modify resources. These resources are deployed within specific Azure Regions, representing defined geographic boundaries with multiple data centers in close proximity. Data residency is guaranteed within the selected region (e.g., data stored in UK West remains in the United Kingdom). Customers can align resource deployment with regulatory requirements by selecting appropriate regions and ensuring data replication remains within those boundaries. Brazil is an exception, with built-in geo-replication defaulting to South Central US, but this can be disabled to maintain data residency. Services like SQL, PostgreSQL, Cosmos DB, and AI services allow customers to control replication destinations.

V. Enhancing Data Control: Encryption and Key Management

Data is always encrypted at rest in Azure, with customers having control over encryption keys. Microsoft is expanding control options, including the ability to use customer-owned Hardware Security Modules (HSMs) to manage encryption keys. This ensures that even if compelled to provide data, Microsoft would only deliver encrypted data without the key.

VI. Azure Local: Extending Azure to Customer-Controlled Infrastructure

For scenarios where Azure regions don't meet specific requirements, Azure Local provides a solution. It’s a unified platform replacing Azure Stack, Azure Stack HCI, and Azure Edge, offering both software and hardware components. Azure Local comes in two primary deployment models:

  • Connected Azure Local: Leverages Azure Arc to extend the Azure control plane to the customer’s infrastructure, allowing management through the standard Azure portal and access to a subset of Azure services. The control plane can be linked to a specific Azure region, maintaining geographic control.
  • Disconnected Azure Local: Operates entirely independently of the public cloud, utilizing a local control plane based on Active Directory Domain Services and Active Directory Federation Services. This provides complete data isolation and control, suitable for air-gapped environments.

Azure Arc plays a crucial role in connected Azure Local deployments, enabling hybrid capabilities and access to services like Azure Virtual Desktop, Azure IoT, and data services.

VII. Deployment Options and Scalability with Azure Local

Azure Local supports single-node and multi-node deployments, with optional SAN (Storage Area Network) integration. Multi-rack configurations can scale to hundreds of nodes. A shared control plane can be deployed for managing multiple Azure Local clusters, providing centralized management and a dedicated portal.

VIII. M365 Local on Azure Local

Beyond core Azure services, M365 Local can be deployed on Azure Local (both connected and disconnected), providing on-premises versions of Exchange, SharePoint, and Skype (though Teams is not included).

Conclusion:

Microsoft offers a comprehensive suite of options for addressing Azure sovereignty concerns. From leveraging regional boundaries within the public cloud to deploying fully isolated Azure Local environments, customers have significant control over data location, access, and compliance. The key takeaway is that a “public sovereign cloud” can be created by strategically utilizing Azure’s features, and Azure Local provides the flexibility to extend Azure capabilities to locations and scenarios where public cloud options are insufficient, offering both connected and disconnected deployment models to meet diverse regulatory and security requirements. The choice depends on the specific needs and constraints of the organization.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Looking at Sovereignty Requirements with Azure". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video