Sovereign Cloud, Simplified!
Rajesh Dangi
Technology Advisor, Founder, Mentor, Speaker, Author, Poet, and a Wanna-be-farmer
Digital sovereignty is a practice of storing and securing the data and residency of that data inline with regulations, typically confinement of the geographic location where citizens data is stored and processed within the governing laws of the respective country. The privacy of data and enforcement of laws have naturally paved way for Sovereign Cloud, a framework of controls that ensures the way cloud is build and operate so that the data is processed and stored within the specific geography / sovereign soil and prevents foreign access under all circumstances thus aligns with the fundamental principle of digital sovereignty in real sense.
The vision of a borderless internet that functions as an open distributed network is slowly ceding ground to a space that is greatly political, and at risk of fragmentation due to cultural, economic, and geo-political differences. A variety of measures for asserting sovereign control over data within national territories is a manifestation of this trend - The Centre for Internet and Society, India
India has four sectoral policies that deal with localization requirements based on type of data, for sectors including banking, telecom, and health - these include the RBI Notification on ‘Storage of Payment System Data’, the FDI Policy 2017, the Unified Access License, and the Companies Act, 2013 and its Rules, The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017, and the National M2M Roadmap. The policies largely discussed key objectives such as enabling innovation, improving cyber security and data privacy, enhancing national security, and protecting against foreign surveillance and collectively working towards data sovereignty and localization. Given the complexity of technology, global interconnected data flows and the potential economic and political implications of data localization requirements drive approaches to data sovereignty and localization as key priorities more than ever.
The Need..
Cloud computing is largely divided into two metaphors, one wherein legacy applications are migrated to cloud and another is the breed of cloud native applications that are born in the cloud, both generate lot of metadata apart from the transactional data. The metadata collection is often automatic and greater than we realize, It is thus necessary to differentiate and identify what data elements can be classified as critical, confidential, restricted of public tiers in line with the governing laws and national / regional security standards which may vary by country or region.
Sovereign Cloud is based on the principle going beyond to help define the data and may include metadata such as IP addresses, credentials, geolocation data, system / application / access logs, alerts / notifications etc all the way up to root cause analysis and diagnostic reports as well. Further ensures establishing robust technical and procedural controls to mitigate all risks including data sovereignty and foreign / external access risks. The technical aspects govern design, architecture and deployment of tools and technologies, while procedural controls talk about classification, data protection impact assessment (DPIA) and governance structure etc to collectively identify risks arising out of the processing and storage of data and to minimise and mitigate any risks as far and as early as possible.
Few international examples of data and consumer protection rules are The US?CLOUD Act?(2028), China’s?Cyber Security Act?(2017) and the famous UK and EU?GDPR?(2018) to name the few. Although there are few industry-specific requirements we already know such as?HIPAA,?PCI DSS,?BaFin, FISMA,?GAIA-X and?EBA etc are also dictating these sovereignty principles.
Value additions & Challenges..
Cloud Computing has emerged as an indispensable business utility similar to electric, gas and water and while meeting both residency and sovereignty requirements, the sovereign cloud offers key benefits / value adds such as;
Getting Ready? A Quick Dip stick…
The first logical step is to assess the current context and status, There are multiple agents, actors and actions around the fundamental data sovereignty and each aspect must be considered to effective implementation, the conceptual grid below provides a better informed outlook towards the assessment and aid the action plan..
ABCDE’s towards Sovereign Cloud and Day2 Operations
Once you get ready from the assessment and the charter is drafted, discussed and approved and ready to execute on the action plans of sovereign cloud adoption, key stakeholders such as CDO/CISOs must keep their head above the water and bring in agility in operating the Sovereign cloud, the key process tenets?listed below are vital in successful day2 operations …
There are also few questions to ask and gather the pulse of the situation or current status to manage the change in people, process and technology deployment..
领英推荐
1.????Are your teams aware and aligned when it comes to data sovereignty?
2.????What statutes and case law directly and jurisdictions are applicable to your organization?
3.????Can you verify how data moves throughout your application and database deployments?
4.????Where are your backup and disaster recovery systems located?
5.????What can you change about your deployment to ensure better compliance with data sovereignty laws?
6.????If you’re not in the cloud, is it time to migrate?
7.????How will you orchestrate operations between two or more cloud deployments?
8.????What kinds of systems do you have in place to show how data moves throughout a hybrid or multi-cloud deployment?
9.????If you need to move data out of a region, what are the implications with regard to data sovereignty?
10.?How will complying with data sovereignty impact your overall cost of operation?
11.?Who is responsible for meeting data sovereignty requirements in your organization?
12.?Can you use technology to help monitor your data and generate reports on the data of the data (Read, metadata) that you own?
In some ways, organizations that are about to make a digital transformation have an advantage here, as they can design their cloud native workloads to better align with data sovereignty goals by design. For legacy deployments in the cloud or straddling the cloud and data centers with hybrid deployments, it may require more effort to make sure all these components can comply with regulations.
In Summary, Data sovereignty can apply to a range of agents, actors and actions across the spectrum of stakeholder ranging from individual consumers to entire societies and countries, sometimes yielding conflicting claims to data sovereignty across considerations. It primarily occurs in the context of debates around the design of technology architecture and applicable laws for data processing, storage and distribution and. tends to address a nuanced mixture of values that concerns control and power over data assets related to inclusive deliberation and fundamental rights of data subjects.
An?IDC global report?found that 50% of surveyed organisations in regulated industries that included public sector, financial services and health care?etc are facing a national mandate to leverage clouds that provide complete data sovereignty. For governments, sovereign cloud is all about protecting critical national data, they are increasingly recognising its importance in enabling economic growth and innovation, thus to strike a right balance between data security and cross border flow of data for digital trade without compromising either of the tenets or modus operandi for any/many multi-national organisations to optimize costs, security and efficiency is a tight rope walk for Sovereign Cloud, me says!
***
August 2022. Compilation from various publicly available internet sources, authors views are personal.