A

Foreign.

B

The realm of digital sovereignty is a growing and complex one. At the highest level, digital sovereignty solutions are meant to help companies manage the risk of some kind of dangerous event, which can mean pretty much anything from tariffs and regulations to actual service disruptions. Recently, they become big news, especially in Europe, where companies are trying to hedge their bets as to what could happen if a government or even Microsoft pulls the plug and halts access to technologies in some way. In today's episode, we're going to talk about what Microsoft does and doesn't offer in this space and how companies should be thinking about trying to mitigate the variety of risks that these solutions address. Welcome to the Directions on Microsoft Briefing podcast. I'm Mary Jo Foley, the editor in here at Directions. I am the host for this series of podcasts for those interested in the Microsoft Enterprise IT ecosystem. My guest today is Greg DiMaschelli, who is the Vice President of Research here at Directions. In his job here, he helps CxOs at Fortune 500 companies develop IT strategies with a focus on understanding Microsoft's AI and data and compute infrastructure. Hi, Greg. Thank you so much for doing the episode with me today.

A

Well, thank you, Mary Jo. It's a real pleasure to be here with you again.

B

Nice. All right, so recently you wrote a report for us at Directions about the hot topic of digital sovereignty. Give us an elevator pitch as to what digital sovereignty is and why more and more companies seem to be so interested in this topic.

A

Yeah, it's one of those words that has lots of meanings, but if you step back, sovereignty implies control of your own destiny. And so digital sovereignty is the ability for companies to basically control their own fate when it comes to their digital infrastructure, in particular, to control that from foreign governments and agencies. And if you think about why is everybody interested if you step back ever the last 10 years, these risks have been there ever since we moved from perpetually licensed software running on hardware you owned in an environment that you control. The modern world of everything is by subscription. It runs in a data center on hardware you don't own, operated by somebody who isn't your employee. Software that phones home periodically for billing purposes, the adoption of sas. All of a sudden, these risks have been slowly building. What has changed in the past two years are the chances of a bad outcome are higher. I can't put a number on it, but I think we can all look at what's happening in the world with what used to be relatively consistent legal structures fragmenting when we see nations beginning to use trade and the threat of cutting off trade as an instrument of foreign policy, no matter what number you put on it, I think intuitively all know that the risks are higher and also the consequences are higher. Ten or 15 years ago, what we ran in the cloud was, oh, just our dev test or just our website. Modern enterprises today have many, many, many mission critical workloads are running in the cloud. So the temperature on this has been slowly turning up and now there are companies starting to say, we're starting to get at a boiling here.

B

Okay, so you've been pretty thorough in outlining the big picture, but what kind of risk specifically are we talking about here?

A

Yeah, that's a good question. I think of the risks in three broad categories. The first category is a regulatory risk and some foreign government put a new rule on me that I didn't sign up for when I began using this software, this service. The second one is data access. Can a foreign government access my data without my consent or sometimes without me even knowing about it? And the third is service disruption. Could a foreign government force Microsoft or maybe even somebody else, it doesn't have to be Microsoft to pull the plug on me either through technical means or legal means. I think it's helpful to, when you think about Rich, to sort of bucket them into those three categories. Okay. Because essentially what we're talking about with digital sovereignty is insurance.

B

Right?

A

You're going to pay up front to mitigate the impact of one of these potential bad events. And like insurance, everybody has to make their own evaluation. I own a home in Florida. I value hurricane insurance. I happen to live in Seattle. I don't need hurricane insurance. And so as a business, you've got to think about your particular exposure to these risks. And because it's insurance, I think it's helpful to think, evaluate Microsoft solutions kind of in four dimensions. One is how likely is this disruption that we're talking about? How likely do I think is that a government's going to force Microsoft to pull the plug? What's the consequence of that disruption? Let's face it, there are many systems in an enterprise today that if you lost access to it for some period of time, it's an inconvenience. Others are existential. So you have to look at each risk and say, how likely is it based on my particular situation and what's the impact of it? And then you have to look at Microsoft's offering its insurance coverage effectively and say, how effective is this protection? How effective is this Microsoft product at preventing data access or service disruption? Then what does it cost me? I think this is important because the costs aren't just oh, I have to buy some new service or license some new service. We're also talking opportunity cost. What am I giving up when I adopt some particular Microsoft solution? Right.

B

Okay, so that's a good framework. Let's dig into the actual offerings that Microsoft has. I know they've got on premises offerings and cloud offerings. So let's start with On Prem as some companies have considered or even started bringing back some of their cloud systems to their own On Prem data center. So let's talk On Prem first.

A

Yeah, for sure. Back to the future. You know it's effective, there's no doubt about it. If you can bring a workload on Prem, there is no doubt that is the most effective solution. But it also is the one that has the highest costs.

B

Right.

A

I think everybody intuitively gets the effectiveness that if it's back to running on my system, I have control, I have sovereignty. Let's talk about the cost side. Well, the real costs are, not surprisingly, you're back to buying your own servers, managing your own depreciation of those servers. You need to take back the burden of managing the hardware and the os. Maybe as a company you no longer have those skills in house. It's not uncommon for a company that's gone all into the cloud to no longer have employees on site who are capable of updating a BIOS or doing some of the low level machine management. But the big one that people may not be aware of is the opportunity cost. To put it mildly, Microsoft's On Prem products have stagnated since it has invested all in on the cloud. If you go back to On Prem, you are going to be stuck with versions that lack features that you may be used to. So let's sort of look at Microsoft's On Prem offerings with that sort of lens.

B

Okay.

A

Of course you can run Windows Server. That's tried and true. It's the highest protection from all of the risks we talked about. But it's also the biggest step backwards in terms of functionality. It is back to you manage everything. Microsoft is putting a lot of energy behind Azure Local in between. The promise being that you run Azure Local on Prem, but it brings some of that Azure like functionality back to you. Now that's a promise that's not really fully delivered on yet, but that's the direction they want to go with it. A couple of things to note here. It's still subscription based and if it's subscription based, you're still vulnerable to a disruption because Microsoft could Not say they would, but Microsoft could if forced off your subscription. With Azure Local, you have to get Microsoft's permission to run it air gapped, run it disconnected. Otherwise, like most Microsoft software, it wants to phone home for licensing purposes. All of that means Azure Local. You give up a bit less in functionality, but it's not quite as foolproof a protection as just running plain old Windows Server. And the new option in town is Sovereign Private Cloud. The idea here is it's Azure Local. With the addition of Exchange, SharePoint, Skype and Microsoft Foundry, it promises the ability to bring a more complete solution. Plus, the ability this is promised does not exist yet for workload mobility. That is to have a workload running on Prem and with Sovereign Private Cloud. I mean, excuse me, in the cloud and bring it back to On Prem.

B

Right? Yeah. When I read about them doing the Sovereign Private Cloud, I'm like, okay, this sounds like the most promising one. Right? You get on Prem, Exchange Server, SharePoint Server, Skype for Business Server, Foundry, Azure Local, and I think that got a lot of companies interested, like, oh, that's kind of what we wanted. But I keep feeling like it's going to be too good to be true. Right?

A

Yeah. Remember that point about the on prem products have stagnated. These are not. If you are using Exchange Online, this is not. Exchange Online. If you're using SharePoint online, this is not. These are the SE versions and they've been sort of frozen in Carbonite ever since Microsoft went all in on the cloud. I really recommend folks who are interested. We've got a couple reports from Rob Helm and Dave Barry directions to outline some of the differences between the server versions and the online versions. Just the net result is you are not getting the same capabilities as you got in the cloud. In addition to you are now back to managing Exchange and managing SharePoint.

B

Right. Okay, good caveats there to keep in mind. I'm going to take a quick break here so I can talk about why you should make it a priority in 2026 to attend one of our Directions on Microsoft Licensing Boot camps. Our next in person directions on Microsoft Licensing Boot camp is happening really soon in Washington D.C. from April 28th to 30th. It's not too late. You can still send your IT procurement and ITAM leaders if you want to have them learn about how to deal with the new Microsoft licensing realities. You'll learn things there like how to control your Azure consumption costs so that you can cut your largest Microsoft cloud spend component. We'll help you master the strict licensing rules for high cost products like Copilot and Microsoft 365 add ons to ensure compliance and and maximize organization ROI without you over buying. And we'll also help you at the bootcamp craft a tailored framework for your renewal strategy so you can secure concessions that offset lost volume discounts. To secure your spot Today, go to directionsonmicrosoft.com training. You'll get to talk to our directions licensing experts there. And if you can't make it to DC in April, we've still got more upcoming that you might be interested in. We have virtual boot camps and we have one other in person, one in September in Chicago this year too. Okay, let's go back to Sovereigning all the things with Greg Demaschelli we have already talked about Microsoft's On Prem Digital Sovereignty offerings, so let's talk now about the cloud ones like Sovereign Public Cloud and National Partner clouds. So what are these and how do they stack up compared to the On Prem offerings?

A

Greg yeah, so if the On Prem's offerings are trying to lean into the strengths of On Prem, this is about trying to find a middle ground. Okay, these are specialized little mini regions of Azure and you can think of them that way. The Sovereign Public Cloud is available in the eu, not surprisingly, since the EU has sort of been, I think, leading in a lot of these concerns. And it takes Microsoft has an existing set of data residency controls for multinational companies. So you can say things like all of my Microsoft 365 data has to stay in Europe. The Sovereign Public Cloud builds on that and it adds sort of additional safeguards, things like ampere evident logs that will show if anybody has accessed your data, the ability to have Azure VMs that run with those protections. Again, the idea here is to still be in the cloud, but to have a version of the cloud that's more restrictive of where it operates. Now, there's a couple caveats here as well. First, Sovereign Public Cloud does not support the full range of apps. It does support the two biggest ones, Microsoft 365 and Power Platform. That's not nothing, but it is not the full range of Microsoft's Azure applications and services. Probably most importantly, to get full protection, you need to do extra work. Specifically, you need to use what's called Customer Managed encryption keys. Most of the time, the way Azure works is data is encrypted, but Microsoft holds the keys so that way it can decrypt your data as it needs to process it. With Customer managed keys, you own the keys and you give them to Microsoft when it needs them. That is additional work that you need to do to deploy that capability. Without that, you don't really have protection from unwanted data access. Because if a government forced Microsoft to give up the data, Microsoft can just give up the data. With customer managed encryption keys, Microsoft can only give up encrypted data because you hold the keys. So sovereign private cloud tries to carve out a little region within Europe that has extra protection, but know that you have to do some extra work to get the full benefits of that protection.

B

Okay.

A

The other one is even more specialized. I almost don't. It's national partner clouds and the partner word is important for these. Microsoft is basically letting a completely independent company operate, own and control the region. Typically this is a local partner. So for example, in France there's a national partner cloud called Blue and it's operated by Orange, which is a telecom carrier, and Capgemini, there's one in Germany operated by an SAP subsidiary. In these cases, Microsoft sort of goes totally hands off and said SAP, German company, German citizens operating a German data center. These are, however, are really aimed at government and other public sector use where there's an absolute requirement for top to bottom control. They're not really suitable for a multinational enterprise or enterprises in general to use.

B

Okay, okay, let's switch topics here. I noticed in your report that you say, as far as I understand it, that companies really should be prioritizing business continuity solutions over, quote, pure digital sovereignty ones. Am I understanding that right? And why do you say that if it's true?

A

Yeah, I mean, I think the genie's out of the bottle. Other than completely abandoning cloud and SaaS, there is no complete solution. There are just too many holes. And so given that any of the outcomes we're talking about would be kind of disastrous. I think you need a disaster recovery mindset. And so I think rather than look for I will just buy a digital sovereignty solution because none exists that can address your complete end to end enterprise. You have to think in terms of disaster recovery. You have to start with doing your own risk analysis. Every company is different. Every company's exposure to countries, your regulatory environment is different, your data sensitivity is different. Every company should do their. What do I think my risk is of data infiltration, of regulatory changes, of service disruption, and then prioritize workloads within that. Just as in disaster recovery, you start from those most essential workloads that you need to keep running the business and you work down from there. Same thing here. Start with those workloads that you've identified as highly essential and that have the highest risk. And the third point is any of these events is a disaster. In a disaster recovery scenario, you focus on time to recovery. You don't set a goal that says I have to recover in three seconds because these are disaster scenarios. So you define a time to recovery. How long after a government threatened cuts us off do we need to be able to be back up and running? A day, hour, a week? You will build different solutions and make different trade offs. If it's okay for a given workload to be down for a week, you can prioritize a solution that is less disruptive to implement. If your workload has to be up and running in an hour, you're going to be willing to give up a lot more functionality to get that recovery time. So do your own risk analysis because nobody can tell you your specific risk. Prioritize the workloads that are both highly essential and high risk and define a time to recovery. How much time is acceptable for you to be down before that system is back up and running? And then you can start to look at, well, should I run this on Windows Server or should I run it in a sovereign public cloud or a sovereign private cloud? Okay.

B

All right. Any other last points you would like to add that might help customers trying to negotiate the digital sovereignty waters?

A

Yeah, I think it's interesting. Of the three big clouds Microsoft is actually best positioned here. They have on prem products even if they've been neglected for years. They do have on prem products.

B

Yeah.

A

For companies with aws. AWS launched outposts which were custom AWS racks that you deployed in your data center. But near as I can tell, they've really gone nowhere. GCP tried an all software solution in Anthos that flamed out. So Microsoft really is in the best position here and I think it's going to be interesting to see if the interest in digital sovereignty that we're hearing from large customers causes Microsoft to maybe swing the pendulum back a bit and put some more energy back in its on prem. Maybe defrost the Carbonite a little bit. Let's see Han Solo come out alive. I think that would be very interesting to watch for that. That will be the biggest sign to me that Microsoft is really taking this seriously.

B

Skype for business server is never going away. That's what you're telling us, right?

A

As much as I might wish it.

B

All right, Greg, well thank you so much. A very interesting topic and good approach on your part.

A

Thank you. Mary Jo.

B

I would like to remind our listeners they can find lots more coverage of all things Microsoft related on directions on Microsoft.com thank you so much for listening. If you have questions, comments or any topics you would like to hear the Directions analysts cover in one of these podcasts, please do not hesitate to contact me via X or BlueSky. Directions on Microsoft is also on LinkedIn, so make sure you follow us there and give us a follow at DirectionsMSFT on X or directions on Microsoft on BlueSky to keep up with with all of the latest Microsoft Enterprise product and licensing information. Thanks again.