Whose cloud is it, anyway? Rethinking sovereignty in the shift to cloud infrastructure
7 Jul 2025| and

Cloud infrastructure is now the backbone of everything from social services and emergency response to critical industry operations and defence. The shift has been fast, and often invisible to users. What began as a convenience to save costs and increase flexibility has quietly become a question of national resilience. As more government systems migrate to commercial cloud platforms, the issue is no longer just where the data lives, but who holds real control over the systems that support it.

High-profile breaches at Qantas, revealed last week, and Optus and Medibank in 2022 have highlighted the consequences of poor data governance—not just for the organisations attacked, but for the individuals whose information was exposed. These events reinforce the need to secure datasets that carry real-world consequences. But the risks don’t stop at the consumer level. They also affect us as citizens. Public discussion of data sovereignty often focuses on geography. The assumption is that if data is stored within national borders, sovereignty is intact. But this framing misses the larger issue. Control isn’t just about the data centre postcode. It’s also about the equipment and supply chains behind these services: who designs, manages and secures the infrastructure; who can observe or collect system-level activity; and who sets the rules for access.

These distinctions matter, but they’re part of a more complex picture. Data residency refers to the physical location of storage, while data sovereignty refers to who holds legal and operational authority over data and systems.These are important dimensions, but sovereignty in the cloud era involves more than geography or governance. It includes: assurance of supply chains and the extent to which enabling technologies can be controlled or directed by a foreign government; visibility into infrastructure; and the ability to adapt service architectures as risks evolve. Responding to this requires more than technical specifications or regulatory clauses; it demands a layered, ongoing approach to risk, resilience and control.

Estonia offers a useful model. Through its ‘digital embassy’ in Luxembourg, it stores copies of critical government data offshore while retaining sovereign control. The legal structure treats the data as Estonian territory under international law. Ukraine has taken a different approach during wartime, shifting sensitive systems into public cloud environments under frameworks designed to preserve operational continuity.

Commercial cloud architecture is complex, often deliberately so. Many government clients have limited visibility into how workloads are scheduled, where failover systems reside, or who can access logs and metadata. Even when such information is available, procurement and policy teams often lack the technical capability to interrogate it effectively. This limits their ability to identify risks, challenge vendor assumptions or make informed comparisons. Services labelled as ‘sovereign’ or ‘local’ may still rely on offshore elements—such as software updates, control planes and management consoles—that sit outside domestic oversight. This fragmentation creates blind spots that regional hosting alone cannot resolve.

There’s also a risk of structural dependency without understanding the implications. Sovereignty in the digital era is a systems question, not just a legal one. When governments can’t inspect or govern the infrastructure that delivers their services, they rely on opaque assurances and private trust relationships. That might be acceptable in peacetime. It becomes a vulnerability in crisis or conflict.

Some argue this is the trade-off for accessing secure, scalable infrastructure. But that view is misleading. Security and sovereignty are not mutually exclusive. Adopting modern cloud capabilities doesn’t require surrendering visibility, control or policy independence. What’s missing is not technical feasibility, but strategic intent.

If Australia wants to retain authority over how its systems operate during disruption, it will need to prioritise infrastructure that supports operational independence. This means demanding transparency in service delivery, auditability of privileged access, and enforceable constraints on data movement and administrative control. It also means building scalable in-house capability for continuous compliance monitoring so agencies can assess, manage and, where necessary, disengage from platforms that no longer meet sovereign requirements.

This is not an abstract policy debate. Cloud platforms underpin essential government functions, from border security and defence logistics to law enforcement databases and infrastructure monitoring. They are embedded in daily public operations. A failure—whether from misconfiguration, cyberattack or coercion—would have widespread consequences. As reliance deepens and infrastructure becomes more concentrated, the risk only grows.

Policy responses must be forward-looking and principled. Governments should not be passive recipients of whatever commercial offering is available. Instead, they should shape requirements around a clear articulation of sovereign interest. That includes a willingness to invest in architectural resilience, even at the cost of slower procurement or higher upfront expense. Sovereign capability is not always efficient, but it’s often essential.

The key shift is from passive consumption to deliberate control, defined not just by initial oversight, but by the ability to scale and adapt governance as threats evolve. This requires frameworks that are dynamic, not static, with the flexibility to respond to vendor behaviour, changing risks or the needs of missions. Contracts and compliance frameworks are no substitute for verifiable and enduring authority over systems.

Leading on sovereign cloud adoption is not about reinventing the wheel; it’s about making deliberate choices that align with national interests and setting clear expectations for transparency, control and resilience. That requires a mindset shift—from treating cloud as a commodity to seeing it as strategic infrastructure. Convenience cannot be the organising principle. In a contested and uncertain world, the systems we build should be governed with clarity, not outsourced by default.

Author

James Corera is director of ASPI’s Cyber, Technology and Security Program. Jason Van der Schyff is a fellow with ASPI’s Cyber, Technology and Security program. Oracle is supporting publication of this series of articles.

 

Image: blackred/Getty Images.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2025