Category Archives: Microsoft Cloud for Sovereignty

Microsoft Cloud for Sovereignty: the solution to meet sovereignty requirements in the cloud and hybrid environments

Microsoft has recently announced the availability of Microsoft Cloud for Sovereignty across all Azure regions. This solution offers reliable options for the public sector, designed to support the migration, development, and transformation of workloads in Microsoft’s cloud while complying with regulatory, security, and control requirements. In this article, we delve into the distinctive features of Microsoft Cloud for Sovereignty, exploring how it can ensure rapid digital transformation for government entities in compliance with regulations.

Sovereignty in the Hyperscale Cloud

Governments worldwide must meet a wide range of national and regional compliance requirements for applications and workloads, including governance, security controls, privacy, and in some cases, data residency and sovereign protections. Until now, most solutions to meet these regulatory requirements relied on private clouds and on-premises environments, slowing the adoption of scalable, secure, and resilient cloud solutions.

What is Data Sovereignty and Microsoft’s Stance on ‘Sovereignty’?

Data sovereignty is the concept that data is under the customer’s control and regulated by local laws. While data residency ensures data remains in a specific geographic location, data sovereignty ensures adherence to the regulations of the country where the public sector customer is located. Each jurisdiction has its own requirements, vision, and unique needs when it comes to addressing sovereignty. In this regard, while Microsoft believes many of these needs are met through standard cloud solutions, it has introduced Microsoft Cloud for Sovereignty, providing an additional layer of capabilities to meet the individual needs of public sector and government clients. It is then up to partners and clients to determine what is appropriate for their specific needs. For the most sensitive workloads that cannot be hosted in the public cloud, Microsoft offers hybrid options, such as Azure Stack HCI, allowing customers to keep data in their own on-premises environments.

The following paragraphs outline the most common requests for achieving data sovereignty in the cloud.

Residency, Security, and Compliance in the Hyperscale Cloud

Microsoft Cloud for Sovereignty is rooted in over 60 global Azure cloud regions, ensuring unmatched security and a wide range of regulatory compliance. This positions Microsoft as the cloud provider with the most regions worldwide, and this infrastructure allows customers to implement specific policies to ensure their data and applications remain within their preferred geographic boundary, fully respecting national or regional data residency requirements.

Controls for Data Access

Microsoft Cloud for Sovereignty provides controls to ensure sovereignty, protection, and encryption of sensitive data and to control access, enabled by:

  • Sovereign Landing Zone: A specific Azure landing zone designed for entities requiring privacy, security, and sovereign controls in compliance with governmental regulations. These zones provide a repeatable and secure approach for cloud service development and deployment. Governments facing complex and multilevel regulatory contexts find in the Sovereign Landing Zones an effective solution for designing, implementing, and managing solutions, adhering to established policies. They allow for the implementation and configuration of Azure resources, ensuring alignment with the best practices of the Cloud Adoption Framework (CAF). These guides enable organizations to meet data sovereignty requirements. For more information on SLZ and their features, it is recommended to consult the documentation on GitHub.
  • Azure Confidential Computing: A technology developed by Microsoft aimed at enhancing data security while being processed in the cloud. Traditionally, data can be protected while at rest (stored) or in transit (during transmission), but become vulnerable when in use or running on a server. Confidential Computing seeks to bridge this gap by protecting data even when in execution. This is achieved through the use of a technology called “Trusted Execution Environment” (TEE), which is essentially a secure area of the processor. TEEs isolate data and code in execution from other processes, including those of the operating system, so that only authorized code can access the data. This means that even if an attacker manages to penetrate the operating system or network, they would not be able to access the protected data within the TEE. Azure Confidential Computing is particularly useful for use cases requiring a high level of data security, such as financial transactions, healthcare information management, or handling sensitive data for businesses or governments.

The Complexity of Addressing Regulations that Vary from Country to Country

Digital sovereignty is a complex issue, varying significantly from one nation to another. To address this challenge, Microsoft has adopted a collaborative and customized approach with its Microsoft Cloud for Sovereignty. By working closely with local partners in different countries, Microsoft is able to tailor its cloud solutions to the specific needs of each client, maximizing efficiency and ensuring secure implementations.

In this context, Microsoft offers its clients the ability to adopt specific policies related to sovereignty through Azure, simplifying the process of complying with national and regional regulations. These initiatives (set of policies) help clients establish cloud security parameters, facilitating compliance with regulations.

A concrete example is the adoption of the Azure Cloud Security Benchmark. Clients can start here, then add the new Sovereignty Policy Baseline to strengthen digital sovereignty practices. Additionally, they can integrate specific layers for their regions, such as the guidelines for cloud migration from the Italian National Agency for Cybersecurity of Public Administration (ACN) for clients in Italy.

Furthermore, the new Cloud Security Alliance Cloud Controls Matrix (CSA CCM v4) policy initiative offers a global benchmark that informs and guides many regional standards, further consolidating Microsoft’s commitment to secure, compliant, and sovereign cloud solutions.

How Microsoft Ensures Data Remains in a Specific Country and Supports Sovereignty Needs of Governments Without Azure Regions in Their Territory?

Microsoft provides detailed information about data residency in the Microsoft Cloud through its documentation and the Microsoft Trust Portal. Additional measures to maximize data residency have been announced as part of the EU Data Boundary. Governments worldwide have different preferences regarding sovereignty and data residency. For some clients, data residency in their own country is not a prerequisite for sovereignty. Moreover, the sovereignty controls that Microsoft provides can be used anywhere, even in the absence of a region in their own country.

Microsoft Cloud for Sovereignty for Italian Clients

A significant step towards digital sovereignty in Italy is represented by the introduction of the new Azure Italy North region. This region opens new possibilities for public and private clients, offering them access to Sovereign Landing Zones. Additionally, Azure Italy North stands out for adopting cutting-edge technologies like Azure Confidential Computing. With the addition of Azure Italy North, Microsoft demonstrates its commitment to supporting the specific needs of Italian clients, providing advanced technological solutions that meet the challenges of digital sovereignty and data security.

Capabilities of Microsoft Cloud for Sovereignty

The capabilities of Microsoft Cloud for Sovereignty extend across several levels:

Figure 1 – The Various Layers that Compose Microsoft Cloud for Sovereignty

New Capabilities for Sovereignty

The following new solutions highlight Microsoft’s ongoing investment in improving sovereignty in the hyperscale cloud:

  • Drift Analysis Capability: Continuous administration and maintenance can potentially introduce changes that are not compliant with established policies, causing the deployment to deviate from compliance over time. The new drift analysis tool inspects the deployment and generates a list of non-compliant settings, along with a severity assessment, facilitating the identification of discrepancies to be remedied and the verification of compliance in specific environments.
  • Transparency Logs: Provides eligible customers with visibility into instances where Microsoft engineers have accessed customer resources through Just-In-Time (JIT) access, most commonly in response to a customer support request.
  • New Configuration Tools in the Azure Portal: Allow customers to create a new custom Sovereign Landing Zone in two simple steps using a guided experience.


In conclusion, Microsoft Cloud for Sovereignty represents a significant turning point in data management and digital sovereignty in the cloud and hybrid environments. With its ability to meet complex compliance requirements and ensure data security, this solution stands as a fundamental pillar for the public and governmental sector. The availability across all Azure regions, coupled with innovative Azure Confidential Computing and Sovereign Landing Zones, offers customers unprecedented flexibility to keep data within national or regional boundaries, respecting local regulations. Microsoft’s personalized and collaborative approach in responding to the specific needs of each country demonstrates a clear commitment to digital sovereignty, offering secure, scalable, and reliable solutions. Particularly for Italian clients, the opening of the Azure Italy North region is a significant step forward, highlighting Microsoft’s investment in supporting local needs and strengthening data security. Overall, Microsoft Cloud for Sovereignty emerges as an important innovation in the cloud computing landscape, advancing the mission of a safer, compliant, and sovereign digital future.