Electricity and Control December 2023

INDUSTRY 4.0 + IIOT

Safeguarding data sovereignty in a connected world The importance of data sovereignty and security creates complexity in a world where sharing information across borders generates huge social and economic benefits. Andrew Cruise, Managing Director of Routed, a local VMware Cloud Verified provider and VMware Principal Partner, highlights this point and the various factors to be considered.

I t is clear that in the digital age, data sovereignty is becoming more important, as data is increasingly generated and collected through various channels, including e-commerce, social media platforms and mobile devices. Essentially, the term ‘data sovereignty’ describes the principle that a country has the authority and right to govern and control the data generated within its borders. Thus, the concept of data sovereignty gives governments the power to regulate the collection, storage, processing, and distribution of any data that originates within their country’s borders. Obviously, this will have an impact on cross-border data flows and international data-sharing agreements. Different countries adopt different data sovereignty policies, but broadly they are about demanding that data generated within the country be kept within the borders for security or regulatory purposes. Complicating the situation is the recognition that data access and the sharing of such information across borders generates social and economic benefits – estimated to account for between 2.5% and 4% of GDP. In addition, data transfers across borders enable other critical activities, such as the sharing of essential information related to crime prevention, scientific research and innovation, anti-fraud and money-laundering activities, disaster management and climate change. The issue of data sovereignty warrants close attention, not only to safeguard private data, but also to avoid legal liabilities relating to the failure to protect personal information. A major reason for the complexity around data sovereignty is that the laws governing it vary considerably from one country to another, as do cloud service providers’ agreements concerning privacy policies and user rights. Therefore, organisations operating across multiple countries or regions need to understand each country’s regulations in order to comply with all applicable laws. Although there is a common understanding of the term, there are, in effect, differing definitions of exactly what constitutes data sovereignty, and it is important that, as cloud service providers, we should obtain some form of industry-wide collaboration in defining and upholding the principles of data sovereignty. Recognising these complexities, VMware suggests that the answer lies in sovereign cloud deployment, as this

is an option that is inherently more secure and offers better data integrity and data assurance.

In this respect, VMware is seeking to promote Sovereign Cloud Partnerships and the criteria used to select providers, but at the same time, it seeks to limit the number of providers in each region – thus ensuring the specific rarity of the ‘cloud sovereignty’ badge. Among the requirements VMWare prescribes is that such service providers should have locally sited data centres and, in terms of data security, they should be ISO and payment card industry data security standard (PCI DSS) compliant. These are both areas in which Routed meets the requirements. “At Routed,” Cruise says, “we already segregate management networks from production networks, storage traffic from a host strategy, and we separate host traffic from public-facing web traffic. In addition, we have multi-factor authentication (MFA) in place and have been leveraging the principle of least access from the start of our operations. We believe that, if you do things properly from day one, you don’t leave any doors open. Hence, Routed has been conscious of implementing security best practices on its infrastructure from the outset. “Additionally, we understand that while we may have secured the back end as best as we can, poor security measures further down the value chain, like leaving ports open on firewalls, are difficult to mitigate. However, when it comes to issues of data resilience and data integrity, we have always had backup and replication products available to assist in a disaster recovery scenario.” Although there is no universal definition of what constitutes data sovereignty, it will always entail data locality within sovereign borders, data security and data integrity. Cruise emphasises that Routed is a South African company and has grown as a local business. “Although we do business outside of South Africa, our data centres are located within the country’s borders. We are not using this as a springboard to scale elsewhere in the world, and this enables us to be the best local provider of services – with data security, integrity and performance as crucial elements of that,” he says. □

Andrew Cruise, Managing Director, Routed.

For more information visit: www.routed.co.za

DECEMBER 2023 Electricity + Control

7