Sovereign Cloud (Pillar: Sovereign)
The Sovereign Cloud pillar of WAF++ defines requirements, principles and measurable controls to demonstrably implement sovereignty over data, keys, dependencies and operations.
Sovereignty is not a product feature. It is an architectural state that must be achieved and continuously demonstrated.
What does Sovereign Cloud mean?
Sovereign Cloud means that an organization has demonstrable control over the following dimensions:
| Dimension | What is controlled? | WAF-SOV Control |
|---|---|---|
Jurisdiction & Data Residency |
Where is data, backups, logs and metadata stored? |
WAF-SOV-010, WAF-SOV-020 |
Region Pinning |
Can deployments only occur in permitted regions? |
WAF-SOV-020 |
Backup & Recovery |
Do backups remain within sovereignty boundaries? |
WAF-SOV-030 |
Logging & Telemetry |
Are logs/traces/metrics stored sovereignly? |
WAF-SOV-040 |
Key Ownership |
Does the organization control its encryption keys? |
WAF-SOV-050 |
Privileged Access |
Are admin accesses minimal, time-bound and auditable? |
WAF-SOV-060 |
Break-Glass |
Is emergency access controlled, logged and reviewed? |
WAF-SOV-070 |
Dependencies |
Are all subprocessors and third-party providers inventoried? |
WAF-SOV-080 |
Egress Control |
Can data not leave the sovereignty boundary unnoticed? |
WAF-SOV-090 |
Exit Capability |
Can the organization exit its provider in a controlled manner? |
WAF-SOV-100 |
Why is Sovereign Cloud its own pillar?
Sovereignty is cross-cutting: it touches Security, Reliability, Governance and Operations. Nevertheless it is a standalone discipline, because:
-
It has its own regulatory requirements (GDPR, BSI C5, EUCS, GAIA-X)
-
It requires specific technical controls that no other pillar fully covers
-
It must be measurable and auditable – not just documented
-
It represents a fundamental negotiating position vis-à-vis cloud providers
| Sovereignty without technical enforceability is a claim, not a control. |
Distinction from other pillars
-
Security addresses: attack protection, vulnerability management, incident detection.
-
Governance addresses: policies, decision processes, compliance framework.
-
Sovereign addresses: jurisdiction control, data sovereignty, exit capability, key ownership.
Sovereign Cloud assumes that security foundations are in place and augments them with jurisdictional and regulatory requirements specific to European and public sector contexts.
Controls Overview
The Sovereign pillar is operationalized through 10 measurable controls (WAF-SOV-010 to WAF-SOV-100).
| Control ID | Title | Severity | Automatable |
|---|---|---|---|
Data Residency Policy Defined |
High |
Partial |
|
Region Pinning Enforced (IaC) |
Critical |
High |
|
Backup Location & Retention Controlled |
High |
Medium |
|
Logging & Telemetry Residency Controlled |
High |
Medium |
|
Key Ownership & Management Defined |
Critical |
High |
|
Privileged Access Controlled (SoD) |
Critical |
Partial |
|
Break-Glass Process & Logging |
High |
Partial |
|
Dependency & Subprocessor Inventory |
Medium |
Partial |
|
Controlled Egress & Data Exfiltration Guardrails |
High |
Medium |
|
Exit Plan & Portability Tested |
Medium |
Low–Medium |
Quick Start
New to the Sovereign pillar? Recommended reading order:
-
Definition – What exactly is Sovereign Cloud?
-
Scope – What is in scope, what is not?
-
Sovereign Principles – 7 core principles
-
Controls – The 10 measurable controls
-
Maturity Model – Where does my organization stand?
-
Best Practices – How to implement it?