IDC has predicted that the idea of digital sovereignty will gain greater traction in the coming years. In Europe, 2022 has already seen new product developments and heightened interest from all the major global cloud vendors as well as key local players.
In META, Asia-Pacific, and North America, while the focus is largely on data sovereignty, as cloud usage continues to grow and markets mature, broader discussions about sovereignty and in particular cloud sovereignty will begin to evolve.
Importance of data sovereignty in Asia
Acknowledging the priority businesses are placing on data sovereignty, Deepika Giri, associate vice president for data & analytics at IDC Asia/Pacific, explains that organisations are looking to innovate, quicken the go-to-market process with new solutions, offer better customer experience, and embrace digital transformation.
She adds that for these companies, operating in the cloud way forward. Hence, in Asia, there is an upward trend of more public and private sectors shifting IT workloads to the cloud. Accompanying this trend are concerns over data privacy and security continue to increase.
According to FERS survey wave 12, almost 80% of Asia-Pacific excluding Japan (APEJ) respondents agreed with the statement: "Unified Security first: we are prioritising the use of unified security technologies that allow us to more effectively address new threats (ransomware) and address privacy/digital sovereignty requirements", and in the AP Cloud Survey 2022, 1 in 10 APEJ respondents ranked fulfilling digital sovereignty requirements as a main advantage of using local (in-country) cloud providers, over global or regional providers.
According to IDC Asia/Pacific analysts, these findings support the observation that data sovereignty is among the top priority for many organisations in Asia.
Data sovereignty as practised in Asia
Giri comments that digital transformation implies greater reliance on data. “Countries across Asia intensifying efforts to develop data governance strategies and legislation, and enforce new laws focused on data privacy, protection, and security,” she adds.
China implemented the 2021 Personal Information Protection Law, India is overhauling regulations to improve the security of transferring and storing sensitive personal data overseas, and Thailand is enforcing the Personal Data Protection Act that protects persons from the unauthorised or unlawful collection, use, or disclosure of personal data.
According to IDC, the public sector deals with business-critical intellectual property high-security data sets and data sets that have local criticality. Hence, telco/cloud provider sovereign cloud platform will be attractive and could evolve to become the basis of de facto national industry clouds.
The banking sector is also greatly impacted by digital sovereignty issues, as transactions (and the data generated) comprise the majority of the workloads.
Top challenges for executing data privacy and data protection
Giri warns that violations of data governance regulations due to outdated/misalignment of company governance policies to government regulations, and legacy infrastructure that is not conducive for storing and transforming large volumes of data of different types and from disparate sources are among the top challenges organisations will face.
“It is a priority for organisations to work closely with regulators, bringing greater alignment of company and government regulations to ensure compliance. IT departments will need to overhaul the digital infrastructure and consider introducing local clouds for greater compliance.”
Deepika Giri
She posits that this may lower the risk of receiving hefty fines for violations as well as increase confidence and trust in data due to updated infrastructure that supports data sovereignty, protection, and security.
Impact of multi-cloud adoption
The accelerating adoption of hybrid and multi-cloud technologies in Asia has the potential to complicate compliance for organisations in the region. The question becomes how are compliance/risk officers working with CIOs/CTOs to ensure that innovations are pursued while remaining compliant with evolving regulations?
Giri acknowledges that a transition to a hybrid or multi-cloud environment adds to the already complex compliance requirements of organisations. Among the many technical challenges that organisations will face, she cites data movement/migration and integration, data silos (rendering data sharing and innovation difficult), working with traditional and proprietary security technologies, security/compliance KPIs and associated processes, lack of data lineage and governance mechanisms, lack of enterprise-wide visibility, and a greater risk of cybersecurity attacks.
“Compliance and risk officers must collaborate with the CIOs/CTOs/CISOs to ensure proactive careful considerations for security, risk management, and compliance related aspects during the design and implementation phases,” recommends Giri.
She observes a thrust to build and audit processes and invest in modern security technologies suited to the highly evolving security, compliance, and data sovereignty requirements (data at rest, in motion, and across multiple IT environments).
Advice for CCOs/CROs/CIOs
According to IDC, the compliance must actively design and build KPIs and processes to strengthen risk management, and overall compliance & cybersecurity. End-to-end visibility of the IT environment/infrastructure is the key- necessary investments must be made in observability solutions.
In addition, security policies (usage, identity & access, network, data protection, etc.) must be standardised across the organisation.
“Organisations must leverage best-of-the-solutions for data migration, governance, and cybersecurity (technologies such as unified security, IAM, threat lifecycle management, data encryption, BCDR). The compliance function must work in tandem with the IT function and must plan for adaptability to the ever-changing regulatory landscape,” concludes Giri.
