The term "sovereign cloud" has become ubiquitous in Australian government technology conversations, but its meaning varies significantly depending on who you ask. For some, it simply means data stored on Australian soil. For others, it encompasses operational sovereignty, jurisdictional control, and supply chain assurance. Getting the definition right matters — it determines your architecture, your vendor choices, and your compliance posture.
What sovereign cloud actually means
Sovereign cloud encompasses three distinct dimensions that agencies need to consider independently:
- Data residency — your data is stored and processed within Australian borders. This is the most basic requirement and the one most hyperscalers can meet.
- Operational sovereignty — the people who manage and operate the infrastructure are Australian citizens, subject to Australian law, and hold appropriate security clearances.
- Jurisdictional sovereignty — the legal entity that controls the infrastructure is Australian, not subject to foreign laws (such as the US CLOUD Act) that could compel disclosure.
The Australian regulatory landscape
Several frameworks govern how Australian government agencies approach cloud adoption:
- IRAP (Information Security Registered Assessors Program) — ASD's framework for assessing cloud services against the ISM. Services are assessed at OFFICIAL, PROTECTED, or SECRET levels.
- PSPF (Protective Security Policy Framework) — the overarching security framework for Australian Government entities, covering governance, information, personnel, and physical security.
- Hosting Certification Framework (HCF) — certifies data centres and cloud services for hosting government data, with levels from unclassified through to SECRET.
- Essential Eight — the ACSC's baseline mitigation strategies, increasingly expected as a minimum security posture for government cloud environments.
Comparing your options
Azure Protected (Microsoft)
Microsoft's IRAP-assessed offering provides PROTECTED-level services from Australian data centres in Canberra and Sydney. It offers the broadest range of PROTECTED-assessed services among the hyperscalers, strong integration with Microsoft 365 Government, and a mature identity platform in Azure AD. The trade-off: Microsoft is a US company, subject to the CLOUD Act.
AWS GovCloud
AWS offers IRAP-assessed services from its Sydney region, with a more limited set of PROTECTED-assessed services compared to Azure. AWS excels in breadth of compute and AI/ML services. Like Microsoft, AWS is subject to US jurisdiction.
Local sovereign providers
Australian-owned providers like AUCloud, Vault Cloud, and Macquarie Government offer full jurisdictional sovereignty. They're typically smaller in scale and service breadth, but for agencies handling classified or sensitive data, they provide the strongest sovereignty guarantees.
Practical steps for agencies
- Classify your data before choosing a cloud — different classification levels may warrant different hosting strategies
- Don't assume one cloud fits all — a multi-cloud or hybrid approach is often the pragmatic answer
- Engage an IRAP assessor early, not after you've built the environment
- Consider your identity architecture — it's the foundation of zero-trust in cloud environments
- Build FinOps governance from day one — government cloud costs can spiral without discipline
- Plan for staff upskilling — cloud adoption fails when teams don't have the skills to operate and govern the new environment