Cloud computing can be an excellent catalyst for innovation and digital transformation. It allows digital services to be scaled-up so companies can strategically improve speed, efficiency, and productivity. Despite some security, regulatory or data-compliance constraints, cloud adoption can unlock broad digital business opportunities. For example in Vietnam, Techcombank, selected Amazon Web Services (AWS) for a multi-year collaboration to migrate its applications from on-premises infrastructure to AWS’s cloud platform. This supported the bank’s “change banking, change lives” vision.
Vietnam’s total cloud computing market revenue reached USD 133 million in 2019. However, in 2022, 80% of the market share is dominated by foreign cloud service providers (CSPs) and 20% by local enterprises, with 27 data centers in the market, according to the National Institute of Information and Communications Strategy. In response, the Ministry of Information and Communications (MIC) aims to expand the market share covered by domestic CSPs to 70% in 2030 as part of national goals for digitalization.
Cloud services have vast untapped potential to enhance competitive differences and upscale computing power. Companies in all industries can gain value from cloud migration to expand their digital footprint and reevaluate their service models. High-tech, energy, retail, pharmaceutical, healthcare, insurance, and banking sectors can reposition their digital strategy by focusing investments into business domains, setting-up technologies, and sourcing models that align with business strategies and risk constraints and developing cloud-oriented operational resilience.
With a rapidly growing need to build up capital-light cloud infrastructures, the new cloud economic climate presses the Vietnamese Government to rethink areas of concern for safeguarding cloud market competition, safe and sound operations, data security, and consumer rights protection. Among many issues, data privacy and cybersecurity, cross-border data flow, and third-party management are three dominant themes that need to be addressed by regulation.
Data Privacy and Cybersecurity
In the cloud, data is distributed across multiple servers rather than concentrated in a physical location. Therefore, significant investments in cybersecurity and maintenance are more critical than focusing risks physically in a jurisdiction.
Notwithstanding the Law on Cybersecurity 2018 or the Law on Cyber-information Security 2015, the lack of cloud-related regulations poses challenges to data privacy and cybersecurity for businesses. The varying needs to use cloud services to hedge against price increases, service degradation, or work overloads to achieve cloud maturity will eventually require regulators and supervisors to set cloud-based standards for risk-averse cyber strategies and data governance. Applicable laws and regulations need a better classification of cloud entities and principle-based approaches in response to market innovations. According to Laws on Cybersecurity 2018 and Decree 53/2022/ND-CP (Decree 53), there is a need to show who is subject to data processing requirements and which industry players are required to establish a physical infrastructure and legal presence in Vietnam.
Cross-border Data flow (CBDF)
Cloud service providers (i.e., IaaS, SaaS, and PaaS) can vary in their capabilities and resources. Their interactions with data depend on cloud deployment models in a multi-tenant environment. According to Article 26.3a of Decree 53, localizing data raises difficult questions for the long-term growth of digital trade. It restricts multidivisional and geographically dispersed firms and local small-and-medium enterprises from accessing global cloud services. Additionally, the current Draft Decree amending Decree 72/2013/ND-CP requires data center service providers, including cloud providers, to obtain business licenses. It also sets specific standards, rights, and obligations of service providers and their customers. These, however, illustrate the Government’s intent to expand its purview on cross-border data flow and further the control of data sovereignty.
Though the current regulatory framework needs to better understand cloud environments and their benefit, at present fully, CBDF barriers present obstacles to enterprises at all scales. CSPs face the complexity of the digital ecosystem and the high cost of operating redundant infrastructures. In the end, data localization and centralized security models would increase compliance costs and degrade the ability to provide seamless cloud services across jurisdictions while tampering with cloud sovereignty and operational resilience to fulfill the distribution of multi-customer shared computing resources.
With increasing concerns for risks resulting from cloud outsourcing agreements, shared responsibility on data privacy and confidentiality safeguards, and overall security of cloud-based solutions, these conditions test businesses and CSPs on operational resilience challenges. Document No.783/2020/THH-HTDLS issued by MIC, and Articles 33 to 36 of Circular 09/2020/TT-NHNN by the State Bank of Vietnam, have proven to be outmoded in regulating the cloud market. Therefore, the intricacy of vendor lock-in effects will precipitate concentration risks where critical cloud infrastructures operate outside the regulatory perimeter.
Regulatory agencies must act with due diligence towards cloud-based data vulnerabilities. Inevitably, the potential reliance on cloud infrastructure to lift and shift applications to the cloud will intensify the need to construct uniform standards and interfaces, appropriate governance, and risk control frameworks to deter limited data portability and fulfill regulatory expectations of privacy standards for personal data.
It is essential to note that the multi-tenant architecture, which allows businesses to change operating models to achieve efficient scalability, organizational agility, and cloud portability, will demand closer attention to standards and regulations of electronic data handling. The multi-layered cloud environment and variation of cloud deployment models help meet the business demands for cost savings and acceleration while ensuring the reliability of cloud infrastructure and embedded security for end-to-end automation with risk control measures.
Through outcome-focused and technology-neutral policies, Vietnam can benefit hugely from cloud computing through greater competition, innovation, enhanced cybersecurity, and lower operating costs, contributing to the growth of Vietnam’s digital economy and data-related activities.