Better Protection

Data sovereignty laws

Saudi Arabia's telecoms regulatory authority has launched a new framework to prevent data security breaches in cloud computing.

It is often said that data is the most valuable possession of businesses and public-sector entities in this age of information that we live in. Safeguarding our precious data was relatively manageable when organizations relied on offline data storage solutions. With the rise of cloud computing, however, our data is now increasingly stored somewhere out of reach and control—completely defenseless in the event of a security failure on the part of the cloud service provider.

For a while, most did not worry much about the idea, optimistically believing that people in charge of data centers and cloud computing platforms “know what they’re doing.” However, a series of recent data compromises such as the Facebook-Cambridge Analytica scandal in 2018 shocked the world, bringing many to the sobering realization that even the best industry players are not immune to mistakes.

It was against this backdrop that Saudi Arabia’s telecom regulator decided to bring some order into the current state of cloud computing by launching the Cloud Computing Regulatory Framework (CCRF), which came into effect on February 6, 2018, and was revised later in 2019. The Communications and Information Technology Commission (CITC), as the Kingdom’s regulatory authority, has taken it upon itself to make sure both cloud service providers and users abide by certain general regulations to always stay on the safe side. The regulatory framework states that cloud computing platforms directly serving Saudi-based customers or in any way handling contents belonging to Saudi-based clients must be registered with CITC.
Providers of cloud services should also inform the regulatory authority about the location and main features of their data centers and other cloud infrastructure inside the Kingdom and abroad.

And, in the event that the data will be stored or handled outside the country, this must be disclosed to customers in advance. This is likely a precaution in the interest of public-sector entities that have increasingly come to rely on cloud computing in recent years. The new cloud framework also sets forth some clear directions for when things go wrong.

IT companies have, at times, hushed up or downplayed the importance of major data breaches. Internet giant Yahoo was famously the victim of one of the biggest data thefts in history in 2013-2014, but the event’s full dimensions were not made public until 2017. Saudi Arabia’s new cloud framework obliges service providers to report major violations of the Anti-Cyber Crime Law of 2007 without hesitation, thus giving a chance to data owners and authorities to take the appropriate counteractive measures within the so-called golden timeframe. There is no doubt some information stored on cloud services is by nature more sensitive than others, especially those belonging to public-sector and financial institutions.

While introducing a four-level classification system, the new framework states that all contents that fall into sensitive categories must be registered with CITC. There are also restrictions regarding the geographical location of servers handling or storing extremely sensitive data.

In addition to the registration requirement and the necessity of reporting mishaps, the framework includes a provision that is concerned with the hosting of unlawful contents. According to the cloud framework, such contents should be taken down under certain conditions, especially if they are publicly accessible by users in the Kingdom.

Though some stakeholders may run into problems with one aspect of the framework or another, all things considered, the new cloud framework sets the stage for the Kingdom’s cloud-first policy that encourages government entities to—if possible—opt for cloud technologies.