By the end of September last year, the number of data breaches had already exceeded the total number of similar events in 2020 by 17%. As more businesses migrate to the cloud, there is growing concern that not enough is being done to mitigate against the threat of these and other data privacy risks.
By Sumeeth Singh, cloud provider business head: sub-Saharan Africa at VMware
The global response has been the introduction of national and regional data protection laws and regulations to govern data retention and movement.
From the Patriot Act in the US, the Digital Privacy Act in Canada, GDPR in Europe, and the draft Cloud and Data Policy in SA, governments are looking at more effective safeguarding measures. The golden thread running through all these regulations is that of cloud sovereignty.
Keeping it local
Cloud sovereignty refers to the jurisdictional control or legal authority that can assert data because it is subject to the laws of a country. Sovereign clouds deliver continuous protection and secure accessibility controls. These are designed to protect and control confidential or restricted data with data residency and data sovereignty. It also ensures compliance with changing data privacy laws using a trusted cloud that supports a country’s digital economy.
Building from here is another equally important concept – that of data residency. The latter refers to the physical and geographic location where data is stored and processed. This may be dictated due to policy, regulatory, tax, or even performance reasons. Data sovereignty and residency are often conflated. Ensuring data sits within a geographical location for whatever reason (for example, for tax reasons) is a matter of data residency. At the same time, the idea that data is subject to the exclusive legal protections of a nation is a matter of data sovereignty.
Therefore, a sovereign cloud safeguards data with audited security controls at its core. But more than only keeping data ‘in country,’ it is also necessary to securely share data outside a jurisdiction when warranted. An example of this could be for cross-border policing activities and collaboration. So, contrary to what many decision-makers have thought, sovereignty also encompasses the secure sharing and monetisation of data across borders.
However, many argue that the emergence of these privacy and policy acts has seen a new level of complexity introduced for organisations. The more highly regulated an industry, the more challenging the environment becomes.
While not linked to cloud sovereignty, the new Films and Publications Amendment Act (FPAA) in SA is an example of regulations resulting in undue pressure on the industry. The Act requires all online content producers to submit their content to the Film & Publications Board for classification. Ostensibly designed to ‘protect the country’s citizens from content that is likely to cause them harm’, many see this as a move to introduce censorship to online content. Regardless of the merits of the FPAA, it has created significant additional complexity for online content publishers.
Cynics fear that the draft Cloud and Data Policy in SA could go the same route and make it difficult to operate effectively in a cloud-driven market. However, there can be no arguing that cybercrime has grown exponentially since the pandemic’s start more than two years ago. Not only has the attack surface increased due to the huge rise in people working from home, but with more people making use of online shopping and banking than ever, the more susceptible the data footprint becomes for compromise.
Is it, therefore, unreasonable to expect regulations that are designed to manage this risk better and protect personal data through cloud sovereignty?
Proper deployments of a sovereign cloud environment observe localisation rules around data residency and offer assurances about data protection that prevents unauthorised access. Data remain under sovereign jurisdictional control and authority of the nation where the data was collected. Furthermore, a sovereign cloud environment ensures that all data is resident within the relevant jurisdiction and that other jurisdictions cannot assert authority over data stored beyond their national borders.
In healthcare, sovereign clouds can provide continuous regulatory compliance, including HIPAA over segregated private networks that limit access to authorised parties. Patient data is therefore kept safe from compromise. And when it comes to financial services, the sovereign cloud enhances data protection, ensures customer privacy, and improves application availability, responsiveness, and access.
As data privacy and security threats become more prominent and severe, it is essential to have a data mobility strategy in place. Many countries require companies to store and even replicate data within their national borders and restrict cross-border movement. Sovereign cloud providers comply with local and international regulations to ensure data is kept safe and secure.
Companies must therefore engage with a trusted sovereign cloud provider with expertise in privacy, data security, and data mobility to help them establish a robust data protection plan.