Gone are the days when only specific people working in ICT departments and cybersecurity practitioners were expected to be aware of regulatory changes that affected the organisations they worked for and their respective professions. Increasingly, individuals and organisations are using the cloud for storing their online information and content, signalling a major shift to using online technologies and for which government regulation has become necessary.
This technological approach to using cloud services enables businesses and individuals to scale, collaborate, and innovate at unprecedented levels, reshaping industries and revolutionising the way we work and live. Various industry estimates show that upwards of 60 percent of business data is now stored in the cloud, while 48 percent of businesses store their most important data in the cloud.
Available data also reflects that the number of people using personal clouds such as Dropbox, Google Drive, and iCloud has more than doubled globally from 1.1 billion in 2014 to an estimated 2.3 billion people today. On average, workers use 36 cloud-based services every day. The average enterprise uses 1,295 cloud services.
Ninety-two percent of organisations use a multi-cloud approach, combining different public and private cloud service providers. Kenya is no different, with Amazon Web Services research showing that nearly one-third of local businesses have their data with cloud providers.
The recently published Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 is designed to operationalise the Computer Misuse and Cybercrimes Act of 2018, came at a time when there has been heightened use of cloud services at both personal and organisational levels.
Drafted by the National Computer and Cybercrimes Coordination Committee (NC4), these regulations apply to all cybersecurity matters in both the public and private sectors, particularly members of the public, owners of critical information infrastructure, cybersecurity internet service providers and any other relevant sector or entity. Here are some key takeouts Kenyans should be acquainted with.
At the outset, the regulations recognise that different organisations face differing challenges. Thus, there will be a Sector Cybersecurity Operations Centre, considered as the regulator of the specific sector in which a critical information infrastructure is domiciled or the relevant ministry where the critical infrastructure is domiciled. This means, for instance, that the Ministry of Health will have a separate operations centre from those of the Housing and Treasury ministries.
In addition, the regulations recognise that even within government there are also specific facilities that are considered critical infrastructure. As such each will be manned by its own Critical Information Infrastructure Cybersecurity Operations Centre.
Critical infrastructure includes systems and assets that are essential for the functioning, storing, transmitting or processing of vital services in sectors such as finance, energy, and healthcare such as the airports, water treatment plants and electricity grids. The regulations also define critical infrastructure according to the type of information being processed and the entities it is shared with.
Outside government-designated installations, private facilities can also be declared as critical infrastructure, provided the owner can outline in detail the effects or risk of destruction, disruption, failure or degradation of the system on life, economy, public health and safety, Money Markets of the Republic and public security.
An owner of a critical information infrastructure is required to annually conduct a cyber-risk assessment and business impact analysis for all relevant activities including products, services, business functions and processes.
The cyber-risk assessment contemplated shall define a treatment plan and implement business continuity management controls including respective plans for Information Technology Disaster Recovery, Crisis Management, Business Continuity, Cyber-Incidents Response and Emergency Response.
Furthermore, while baseline and periodic (either monthly or annually) security measures including data protection concerns need to be met, appropriate safeguards and measures to ensure the security of the premises and surrounding areas in which the infrastructure is located are necessary. It is also crucial to establish a distinct Disaster Recovery and backup site that is in a different location
The rise of local data centres can be attributed to the trend where owners ensure that the infrastructure with critical information is domiciled in Kenya. As cloud computing evolves into a business necessity, it has become a key innovation facilitator for organizations and individuals to embrace.
Harnessing the local and international ecosystem of cloud providers provides gig workers, small entrepreneurs and large organizations with a platform technology that underpins it to deliver enhanced connectivity, scale, and analysis capabilities. With more people embracing capabilities enabled by digital presence and connectivity, efficient cloud security is mandatory.
We all therefore need to keep abreast of the rules and regulations governing critical infrastructure which in this case refers mainly to data centres.
The writer is a Cybersecurity Researcher and Threat Analyst at Serianu Ltd.
