Major Cloud Providers Embrace Data Boundary Concept
Within the realm of hyperscale cloud giants, Microsoft no longer stands alone in discussing the concept of Data Boundary: Google Cloud has also adopted and integrated this idea into their offerings.
Microsoft began using the term ‘Data Boundary’ in 2022. Under this branding, the American company aimed to enhance data localization and processing within Europe, especially for customers operating locally. They claim to have completed this initiative early in the year; however, many of their services are still in the process of being adapted to fully implement this approach.
On the other hand, Google does not enforce geographic restrictions in the same way. The notion of ‘Data Boundary’, as presented by Google, appears to be more of a marketing interpretation of its existing service known as Assured Workloads. This service is highlighted as the primary mechanism enabling their data sovereignty practices.
From External Encryption to Personnel Verification: Data Sovereignty with 20% Additional Costs
Google’s Assured Workloads service has been available since 2021. Its main promise is to help organizations ensure their workloads meet compliance standards. The service is structured around three core pillars:
- Data Residency: This involves applying specific administrative rules during the creation of workloads to guarantee data remains in designated locations.
- Regional Assistance: Access to resources is limited to personnel who meet specific location and background verification criteria.
- Access Control: This component encompasses two key services:
- Cloud External Key Manager (EKM): This service allows users to operate encryption keys stored on external hardware, held by partner companies.
- Key Access Justifications (KAJ): This feature enriches EKM requests with an explicit ‘justification’ field to justify key usage.
The free tier of Assured Workloads offers fundamental features such as data localization within the European Union and basic personnel controls. More advanced capabilities, including technical assistance and EKM/KAJ usage, are available only with the Premium tier, which incurs about a 20% extra fee.
Beyond these foundational options, Google Cloud’s Data Boundary package also includes a component called User Data Shield. Built on services from Mandiant, this feature provides security testing of customer-developed applications to verify security compliance and resilience.
Limitations of Data Boundary in Google Workspace
Google extends the Data Boundary concept to its productivity suite, Google Workspace. At its initial level, there is an option to globally set data storage preferences—either within the European Union, the United States, or without specific preference. However, this setting is unavailable for Google Workspace Business Starter, Education Fundamentals, and the Essentials editions (excluding Enterprise Essentials Plus, subject to domain verification).
More advanced configurations allow for finer control, such as setting storage and processing locations by user, service, or team, but these are restricted to higher-tier plans like Enterprise Plus, Enterprise Essentials Plus, and Frontline Plus.
With these editions, organizations can block regionalized services on an application-by-application basis. Examples include:
- Geographic suggestions in Calendar
- Formula correction in Sheets
- Adding images to signatures in Gmail
- Transcriptions in Meet
- Several other features within Google’s Gemini suite, including the sidebar
Regardless of the tier, some data processing activities cannot be regionalized, such as in Google Forms, Keep, and Sites.
Client-side encryption is available in the higher editions, including Plus and Education Standard. When combined with the Assured Controls module, it enables local storage of data, which can be exported to a Cloud Storage bucket.
Trustworthy Cloud Infrastructure: France and Germany Leading the Way
Within the context of sovereign cloud initiatives, Google and Microsoft are also developing regional solutions branded as Google Cloud Air-Gapped and Google Cloud Dedicated.
The first, Google Cloud Air-Gapped, has recently manifested through a partnership announced in 2023 with Clarence, a joint venture between Luxembourg-based LuxConnect and Belgian telecom giant Proximus.
The second, Google Cloud Dedicated, is currently represented by S3NS, a project aimed at deploying a cloud environment within a dedicated infrastructure. Similar efforts are underway in Germany, where Google has recently partnered with Schwarz Group to host its productivity applications on a localized cloud platform. Additionally, Google has established a collaboration with T-Systems, resulting in a ‘Sovereign Control’ offering similar to the one provided by S3NS.
On the Microsoft’s side, recent announcements highlight new digital commitments for Europe. These include the joint venture Bleu, created in collaboration with Capgemini and Orange, to develop a local cloud infrastructure. There is also a similar initiative in Germany involving SAP and Bertelsmann, through their subsidiaries Delos Cloud and Arvato Systems, aimed at strengthening local data sovereignty and infrastructure resilience.
