Enacting data, cloud policy will be gigantic task for govt
While SA’s Draft National Policy on Data and Cloud is expected to play an important role in helping companies address data sovereignty issues, implementing the new law will be an enormous task for government.
This was the word from Sumeeth Singh, head of VMware’s cloud provider business in Sub-Saharan Africa, giving a keynote presentation, titled: “Sovereign cloud: Unlocking the data economy”, at yesterday’s ITWeb Cloud & Data Centre Summit 2022.
Discussing how the sovereign cloud ensures appropriate data residency and sovereignty across geographic regions and clouds, Singh explained the rising increase of hyperscale cloud providers has seen the need for cloud sovereignty gaining traction in SA and worldwide.
This, coupled with the multitude of compliance and governance laws governing the protection and sovereignty of data, has seen the resurgence of data sovereignty as a topic of much contention and interest, he noted.
Data sovereignty can be described as the concept that data which has been converted and stored in binary digital form is subject to the laws of the country in which it is located.
According to Singh, data sovereignty has, until recent years, not been top of mind for many local organisations, and this has seen the South African government move to introduce the Draft National Policy on Data and Cloud, in order to enact controls and ensure organisations tighten their data security.
In April 2021, the minister of communications and digital technologies published the draft policy, which proposes to develop a state digital infrastructure company and high-performance computing and data processing centre.
It also aims to consolidate excess capacity of publicly-funded data centres and deliver processing, data facilities and cloud computing capacity.
According to Singh, in order to adequately ensure data sovereignty through the new regulation, government would have to ensure organisations establish a data classification framework.
This would determine the way data is commuted between different clouds and how it is protected between different clouds. It would also determine what data can be shared outside the country, and what access to that data would mean for other states.
“The Draft National Policy on Data and Cloud has clearly outlined the objectives the policy and IT in general must adhere to. Promoting data sovereignty and security with respect to South African data is key on the agenda, and clearly shows our continent, and SA in particular, is following close on the heels of our European counterparts,” he said.
The implementation of this policy, added Singh, will be the hard work that has been anticipated by the industry, because this is not only about putting information into the cloud, and cloud placement. Rather, the focus should be on what organisations are doing to protect citizen and customer data, and how SA is harvesting its own home-grown data.
“Government has an enormous task to start taking a much closer and tighter grip on data sovereignty as a country and look at where our data resides. This information will then be used to inform its decisions around re-thinking the approach of handling citizen and customer data, where that data should reside and cloud placement policies.”
Government has in the past been criticised by law and ICT experts, who raised concerns about what they called several “flaws” in the policy.
Among these is the policy’s “ambiguous approach” to state data governance, particularly as it pertains to data ownership and cross-border data flows.
According to Singh, the emergence of privacy and policy laws has created a new level of complexity for organisations, which now need to comply with multiple regulations.
“The more highly regulated an industry is, the more challenging this becomes. Organisations must now be cognisant of, and navigate through, these various laws, in addition to their already complex multi-cloud strategies. So beyond the typical considerations of cost, network bandwidth and app interoperability, organisations must now also concern themselves with the data protection and privacy laws.”
The COVID-9 pandemic resulted in increased cyber attacks over the last two years, due to the huge rise in people working from home and shopping online, with more digitally-connected citizens than ever.
As requirements for data sovereignty increase, this is leading to a shift in workload placement, resulting in a definite need for a sovereign cloud – defined as a secure, trusted cloud with a sovereign, software-defined architecture, he continued.
“Sovereign clouds are growing in importance as a way to help nations and local organisations protect citizens’ privacy. It is no surprise the Public Service Cloud Computing Determination and Directive Awareness published by government also has a keen focus on data sovereignty and the value in keeping citizens’ data sovereign.”