Data Sovereignty Critical In The Face Of Digital Change
With the world changing at a rapid pace due to the coronavirus pandemic, from digital classrooms to video conferencing for work, government agencies’ digital platforms have been deployed at a rapid pace.
But ensuring their security and monitoring is not always an easy feat, with governments having to pay particular attention to information confidentiality and a swift transition of their data to a hybrid or fully cloud-based infrastructure.
And the Gulf is no exception, as organisations in the UAE begin to consider deploying or expanding their use of applications in cloud infrastructure due to Covid-19. But experts say they will need to be mindful of data sovereignty, and the potential legal implications it poses. “This risk is considerably amplified when organisations consider storing sensitive data in public cloud outside of UAE jurisdiction, or with global cloud providers who typically store both their applications and data across many different data centres in several jurisdictions,” said Marc Brown, Director of Marketing at Digital14. “In many cases, outside the UAE.”
He said data sovereignty, the concept that data is subject to a country's laws when it is stored within certain borders, is becoming more of a challenge for businesses as they move to the cloud. And the issues are not considered trivial, rather both complex and evolving. “Sensitive information, applications, and data that are critical to UAE commercial and government organisations stored in a public cloud could be subject to non-UAE laws,” Brown explained. “Even with dedicated storage in the UAE, global vendors who are based in other countries, such as the United States, could be a threat to your organisation's data privacy and sovereignty.”
Muhammad Khurram Khan, Founder and CEO of the Global Foundation for Cyber Studies and Research Washington D.C, agreed, stating that data is the oil of the digital world and data economies demand innovative approaches to protect it through efficient and cost-effective security solutions and services. “Recently, more and more companies are moving their data to the cloud computing platforms with numerous benefits but concerns over data sovereignty and cloud security are growing exponentially,” he said. “Data sovereignty becomes a paramount concern when an organisation’s cloud servers are located offshore, and governments insist that the data is subject to the laws of the country in which it is located.”
Some countries have recently introduced strict data sovereignty laws, mandating their citizens’ data to be stored within the country’s geographical borders. “Hence, it is becoming imperative for governments and critical business organisations around the world to mitigate the risks of data security, privacy and sovereignty and increase the confidence of consumers on their offered electronic services,” he added. “Addressing the risks posed by data sovereignty is the latest challenge in the digital transformation of regional countries and elsewhere, and presents technical and legal issues when moving on-premises systems and data to the offshore cloud servers.” Some regions, such as the European Union with its General Data Protection Regulation (GDPR), have stringent data sovereignty policies, which present a major challenge for organisations as almost all companies are moving to cloud computing platforms. “On the other hand, cloud security is also very important to make sure an organisation should not become susceptible to security breaches, such as targeted attacks, human-enabled errors, software vulnerabilities, and inadequate security practices,” said Khan, who is also a Professor of Cybersecurity at the King Saud University in Saudi Arabia. “However, the good thing is that large tech companies are opening regional data centres in GCC countries to support business growth and facilitate the need for data sovereignty.”
For Hadi Hosn, CEO of Axon Technologies, the UAE has been transforming from an oil economy to a technology-centric data economy, and with that, two major trends in ICT have come together in recent years. “First, the public sector reliance on e-government solutions, and second, cloud computing fundamentally changing the way we operate by providing on-demand access to computing resources,” he explained. “These trends, coupled with insecure consumer habits and lack of adequate cybersecurity measures in key government sectors, make the UAE an alluring target for cyberattacks, with stolen data proving to be extremely hazardous in our geopolitical climate.”
Against this backdrop, he spoke of governments having raised concerns about data sovereignty and cyber security when sensitive information is moved to the cloud, mentioning the GDPR, which made it necessary for governments to get to grips with their data, know where it is and secure its confidentiality, integrity and availability. “It is precisely for this reason that the sovereignty and security of data should be a fundamental consideration for any cloud project,” Hosn noted. “Ensuring security and sovereignty appeals to the public and allows economies to grow. It is critical to look at cloud services that are built to comply with local government security and privacy requirements without the need for additional controls.”
According to Brown, there are options for UAE organisations that will eliminate the challenges posed by data sovereignty. “Organisations with their own private on-premises environments overcome these challenges,” he noted. “On-premise solutions lose some of the conveniences public cloud solutions offer, like ease of setup. They also incur the added expense, both OPEX and CAPEX, of managing their on-premise platforms.”
He spoke of hybrid cloud as allowing companies to choose what data they want to deploy to the off-premises cloud and what data they need to keep on-premises. However, there is an intrinsic risk with this approach as sensitive data could be classified incorrectly and stored in a public cloud. “A UAE sovereign cloud approach eliminates all of these risks and challenges, enabling organisations to leverage the benefits of the cloud,” Brown added. “With a Digital14 solution, organisations get the best of both worlds. Customers can have the speed and agility of the cloud, with the security of a UAE sovereign solution.”
Cloud cybersecurity is viewed as a shared responsibility between the cloud service providers, business organisations and users, according to Khan. Before choosing a cloud computing service, he suggested organisations should carry out a comprehensive risk assessment of cybersecurity threats and potential impact on their businesses. “Organisations could adopt a hybrid cloud approach to solve many of the challenges posed by data sovereignty, which allows them to choose what data they want to deploy to the off-premises or offshore cloud and what data they need to keep on premises or onshore,” he said. “Governments and business organisations in the GCC need to develop robust and comprehensive data security strategies and vigorous controls and procedures to protect and secure data from theft or misuse.”
Local companies and business establishments were recommended to ensure that their cloud service provider is trustworthy and will not replicate data onto servers in other countries without their knowledge. “They also need to ensure that the data stored overseas is done according to the local laws,” he concluded. “Furthermore, backing up data before moving to offshore is also important as the loss of data would be a disaster for the organisation”.