{"id":221786,"date":"2026-05-28T11:05:00","date_gmt":"2026-05-28T15:05:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/28\/how-cisos-can-manage-sovereign-cloud-security-risks\/"},"modified":"2026-05-28T11:10:22","modified_gmt":"2026-05-28T15:10:22","slug":"how-cisos-can-manage-sovereign-cloud-security-risks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/28\/how-cisos-can-manage-sovereign-cloud-security-risks\/","title":{"rendered":"How CISOs can manage sovereign-cloud security risks"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/how-cisos-can-manage-sovereign-cloud-security-risks\/821323\/\">How CISOs can manage sovereign-cloud security risks<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/how-cisos-can-manage-sovereign-cloud-security-risks\/821323\/\">https:\/\/www.cybersecuritydive.com\/news\/how-cisos-can-manage-sovereign-cloud-security-risks\/821323\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-28 11:05:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>As geopolitical tensions rise, organizations face new challenges for protecting their data in the cloud:\u00a0shifting regulations and increased cyber risk. That means, in some cases, evaluating alternatives to major U.S.-headquartered cloud providers.<br \/>\nWhile use of a sovereign local or regional cloud provider reduces certain geopolitical risks, CISOs must consider the security challenges they pose on both sides of the shared responsibility model. Cloud providers under pressure to offer cloud sovereignty often do so at the expense of other business and technical capabilities. They typically have weaker security for their cloud infrastructure than hyperscale providers, often lacking native governance, resilience and security features and a third-party ecosystem to augment security controls.<br \/>\nCISOs, then, must ensure that their cloud workload placement appropriately restricts use of these alternative providers by focusing on security of the cloud and security in the cloud.<\/p>\n<p>Ensuring cloud security<br \/>\nA cloud provider must secure its data center facilities, hardware, software and services. And it must defend itself against external cyber threats as well as have strong defenses against malicious insiders, because nation-states threat actors can place operatives within a cloud provider for espionage or cyber warfare purposes.<br \/>\nWhile many alternative cloud providers hold ISO 27001 certifications, that only certifies that the provider has made a good-faith attempt at security. It does not certify the actual security controls the provider employs to secure their environment.<br \/>\nTo that end, CISOs should not treat ISO 27001, Germany\u2019s BSI C5 Type 1 audit or similar audits as any guarantee of adequate security of the cloud \u2014\u00a0especially if the certification is not paired with a controls audit (such as BSI C5 Type 2).<br \/>\nBesides considering audit certifications when choosing an alternative cloud provider, CISOs also should confirm whether alternative cloud providers have firmware protection, secured internal access and data destruction elements in their infrastructure.<br \/>\nSecurity in the cloud<br \/>\nCloud IaaS and PaaS both function on a shared responsibility model. While the cloud provider is responsible for the security of the cloud, the customer is responsible for the security of their own environment and data in the cloud.<br \/>\nThat means the cloud customer must implement appropriate governance, cloud workload protection and other security measures. The organization is also responsible for determining what controls they want and for correctly implementing them. <\/p>\n<p>Cloud configuration mistakes can lead to breaches. While provider-native controls are often ideal, many organizations\u00a0choose to also implement third-party layered and compensation controls, which comes with their own risk. That\u2019s the tradeoff:\u00a0CISOs often are forced to treat alternative cloud services like on-premises operations, which ends up weakening the organization\u2019s security posture and eclipsing the benefits of the cloud.<br \/>\nUnfortunately, not all alternative cloud solutions were designed for enterprise use. Many are geared for small businesses with a single IT administrator, with the assumption that the solution would host a public-facing website. Consequently, they often have deficiencies, such as a single-account model instead of multiple management partitions, full internet exposure instead of private networks and limited network security.<br \/>\nCISO playbook for working with sovereign cloud providers<br \/>\nCISOs must remain directly involved in approving sovereign cloud platforms, particularly for sensitive or critical workloads. The goal is not to block adoption, but to take a \u201cyes, and here\u2019s how\u201d approach, enabling a mix of hosting options while keeping cyber risk visible and controlled.<br \/>\nHere are some tips:<br \/>\nEstablish a clear understanding of sovereign and legal requirements<br \/>\nWork with legal counsel to identify applicable regulatory frameworks and the associated security, data protection and resilience requirements for each application and workload. This assessment must go beyond sovereignty alone.<br \/>\nCatalog and group workloads<br \/>\nIdentify all in-scope workloads and group them based on regulatory obligations, internal security and resilience requirements, sensitivity, criticality and business impact. Aim to minimize the number of workload tiers, while still reflecting environmental complexity.<br \/>\nDefine required controls for each workload group<br \/>\nDocument the minimum effective controls for every tier, including organization-implemented controls, controls expected from the hosting provider and requirements related to sovereignty, localization and resilience. Input from multiple teams is essential, but the output must remain pragmatic and enforceable.<br \/>\nAssess regional and sovereign providers against control requirements<br \/>\nUse structured provider risk frameworks as a starting point and then evaluate in detail whether alternative platforms can meet the defined control baseline for each workload group.<br \/>\nBuild a workload placement matrix<br \/>\nCreate a matrix that includes all viable hosting options including global hyperscalers, hyperscale sovereign offerings, regional cloud providers and on-premises environments. Determine where non-negotiable sovereignty, security, resiliency and similar controls are, and are not, available.<br \/>\nMap providers to permissible workload types<br \/>\nUse the matrix as a decision rubric for workload placement. Some sovereign workloads may be suitable for regional cloud platforms, but many will be most effectively hosted on-premises based on the requirements.<br \/>\nThe bottom line: Effective sovereign cloud decisions require CISOs to ensure that sovereignty objectives do not come at the expense of long-term security, resilience and capability.<br \/>\nCharlie Winckless is a VP analyst on Gartner\u2019s Cybersecurity Leadership team. Gartner analysts will provide additional insights for security and risk management leaders at the Gartner Security &#038; Risk Management Summits, taking place June 1-3 in National Harbor, MD, July 22-24 in Tokyo, Aug. 4-5 in Sao Paulo and Sept. 22-24 in London. Follow news and updates from the conferences on X and LinkedIn using #GartnerSEC.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How CISOs can manage sovereign-cloud security risks https:\/\/www.cybersecuritydive.com\/news\/how-cisos-can-manage-sovereign-cloud-security-risks\/821323\/ Publish Date: 2026-05-28 11:05:00 Source Domain: www.cybersecuritydive.com&#8230;<\/p>\n","protected":false},"author":1,"featured_media":221787,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/Nn1eou8QxB5C64vJ9i57sKEbXVWH3zIMIwMZZtqY6WU\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy0xMjczODIzNzIwXzBxQlJxU3MuanBn.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,29],"class_list":["post-221786","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-network-security"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221786"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=221786"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221786\/revisions"}],"predecessor-version":[{"id":221788,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/221786\/revisions\/221788"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/221787"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=221786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=221786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=221786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}