Sri Lanka’s Hybrid Cloud Advantage: How OREL IT Is Building the Nation’s Digital Backbone 

Executive Summary 

Sri Lanka’s digital ambitions—from government digital services to private-sector innovation— require infrastructure that delivers sovereignty, resilience, scale, and cost effectiveness. Hybrid cloud, which combines locally hosted (sovereign/private) infrastructure with public cloud resources, is the pragmatic architecture to meet those requirements. 

OREL IT, through its OREL CLOUD platform, local data-centre footprint, managed security services, and strategic partner integrations (including Huawei Cloud Stack and hyperscaler interconnects), is building the nation’s hybrid cloud backbone. This whitepaper explains why hybrid cloud fits Sri Lanka’s needs, details OREL IT’s technical and operational approach, maps concrete architecture patterns & use cases, and provides an actionable roadmap for government and enterprise adoption. Key regulatory and policy drivers (notably the Personal Data Protection Act and the Government Cloud Policy) are addressed and integrated into the recommended architecture and operational model. OREL IT 

Table of Contents 

1. Introduction 
2. Policy & Regulatory Context (short primer) 
3. Why Hybrid Cloud for Sri Lanka — Drivers & Benefits 
4. OREL IT’s Hybrid Cloud Value Proposition 
5. Reference Architectures & Design Patterns 
6. Security & Compliance: PDPA, Governance & Controls 
7. Operational Model: Services, SLAs & Pricing 
8. Key Use Cases and Early Signals 
9. Roadmap & Recommendations 
10. Risks, Mitigations & KPIs 
11. Conclusion 
12. References (links) 

1. Introduction

Digital public services, fintech, healthcare, education, and enterprise IT are increasingly cloud-native. However, many national services contain highly sensitive personal or regulated data that must remain under local jurisdiction while still being able to leverage global cloud innovation and elastic scale. Hybrid cloud—combining OREL IT’s local sovereign hosting with managed integration to global cloud services—enables this balance: local control for sensitive workloads, and on-demand scale for compute-heavy or non-sensitive tasks. OREL IT is architecting, operating, and supporting that hybrid backbone for Sri Lanka. OREL IT 

 

2. Policy & Regulatory Context (short primer)

• Personal Data Protection Act (PDPA, No. 9 of 2022): The PDPA establishes duties for controllers/processors and creates the Data Protection Authority (DPA) — requiring technical and organizational safeguards for personal data and rules for cross-border transfers. Service providers must support PDPA-aligned controls (data mapping, purpose limitation, breach notification). Parliament of Sri Lanka+1 

• Government Cloud Policy & LGC 2.0: The Government has issued a cloud adoption policy promoting a “Cloud First” approach for public organizations and has developed the Lanka Government Cloud (LGC 2.0), which itself adopts hybrid patterns to enable government workloads while providing central governance. Drafts and public consultations on sovereign cloud strategy continue, signaling a preference for accredited local providers in sovereign or sensitive domains. mode.gov.lk 

Implication: Any provider building national infrastructure must embed PDPA compliance, produce auditable controls, and align with government cloud procurement frameworks.

3. Why Hybrid Cloud for Sri Lanka: Drivers & Benefits

Key drivers 

• Sovereignty & legal compliance: Local residency for regulated datasets reduces legal friction and supports PDPA obligations. Parliament of Sri Lanka 

• Performance & resilience: Local hosting reduces latency for domestic users and helps continuity during international link outages. 

• Cost & currency exposure: Hosting steady workloads locally can optimize foreign-currency cloud spend and egress fees. 

• Access to hyperscaler innovation: Bursting to public clouds for AI/ML, analytics or global distribution preserves innovation pace without exposing sensitive data. lgc.gov.lk 

Hybrid cloud is therefore a risk-balanced strategy: it reduces regulatory exposure while unlocking elastic compute when needed.

4. OREL IT’s Hybrid Cloud Value Proposition

4.1 Local Sovereign Hosting (OREL Cloud) 

OREL Cloud offers locally-hosted cloud stacks sized for national use (large vCPU and storage capacity) to host regulated and latency-sensitive systems within Sri Lanka’s jurisdiction. The platform supports virtual machines, containers and common enterprise services. OREL CLOUD+1 

4.2 Partnered Hybrid Integrations 

OREL integrates local stacks with partner cloud stacks (e.g., Huawei Cloud Stack) and provides secure interconnects to major hyperscalers for burst capacity and specialized PaaS/AI services. Such partnerships let customers retain API compatibility and operational parity while keeping data residency. Huawei Cloud+1 

4.3 Security & Managed Services 

OREL provides managed SOC, SIEM, backup/DR, encryption and compliance advisory — all required elements to operate sovereign workloads under PDPA and government cloud guidelines. These managed services are combined with transparent pricing models and SLA options tailored for public procurement. OREL IT

5. Reference Architectures & Design Patterns

Below are modular designs OREL IT uses to satisfy common national and enterprise requirements. Each pattern can be implemented using a mix of OREL Cloud resources and public cloud services via secure interconnects. 

Pattern A — Sovereign Core + Public Cloud Burst 

• What it hosts: Citizen registries, e-ID, health records, tax systems. 

• Components: OREL sovereign zone (private cloud), encrypted DB clusters, HSM-backed key management, private dedicated link (DirectConnect/MPLS) to public cloud for analytics bursts. 

• Benefits: Full onshore control for PHI/PII; elastic analytics offload to hyperscaler. 

Pattern B — Edge & Regional Hybrid 

• What it hosts: Banking branch services, retail POS, IoT gateways. 

• Components: Local edge nodes for transaction capture; regional OREL Cloud aggregation; asynchronous replication to central sovereign stores; public cloud for central analytics. 

• Benefits: Low latency for transactions, centralized policy enforcement, efficient bandwidth usage. 

Pattern C — Research & AI Sandbox 

• What it hosts: University research datasets, model training pipelines. 

• Components: Local secure data lakes for sensitive datasets; controlled egress and vaulting to public cloud GPU clusters for heavy training jobs. 

• Benefits: Protects intellectual property and sensitive datasets while leveraging global compute. Huawei Cloud 

Cross-cutting controls (applies to all patterns) 

• Zero-Trust network model and identity federation. 

• Data classification and automated policy enforcement (DLP). 

• Immutable logging & centralized observability (SIEM/SOAR). 

• Customer-managed keys and HSMs for sovereign encryption. 

 6. Security & Compliance: PDPA, Governance & Controls

6.1 PDPA Compliance by Design 

Implement data mapping, lawful basis tracking, DPIAs, retention & deletion policies, and breach-notification automation. OREL’s operational offerings include templates and ATO-style artifacts to accelerate government onboarding. dpa.gov.lk+1 

6.2 Technical Controls 

• Encryption: At rest and in transit; support for customer-managed keys in an on-shore HSM. 

• Identity & access: Centralized IAM, least privilege, role separation, MFA. 

• Network & segmentation: Micro-segmentation, private VPCs, guarded border services for controlled egress. 

• Monitoring & response: 24/7 SOC, SIEM with playbooks aligned to DPA notification windows. 

6.3 Certifications & Assurance 

OREL should maintain and publish independent certifications (ISO 27001, SOC2, or equivalent), and provide audit packages for procurement reviews. Aligning these artifacts to the Government Cloud Policy significantly reduces procurement friction. mode.gov.lk 

 7. Operational Model: Services, SLAs & Pricing

Service Portfolio 

• Infrastructure as a Service (IaaS) — sovereign compute, storage, networking. 

• Platform & Containers — managed Kubernetes, DBaaS, messaging services. 

• Managed Security & Compliance — SOC, patching, vulnerability management. 

• Hybrid Connectivity — dedicated link, VPN, SD-WAN. 

• Professional Services — migration, compliance, architecture, runbooks. 

SLAs & Commercials 

• Tiered availability SLA: e.g., standard (99.9%), premium (99.95%) with separate financial credits. 

• Transparent pricing: calculators for compute, storage, network and egress; reserved capacity discounts for public sector budgets. OREL CLOUD+1 

8. Key Use Cases & Early Signals

• Government (sovereign workloads): LGC 2.0 demonstrates the government’s purchase of hybrid models for central services; ICTA’s cloud policy and sovereign cloud consultations indicate strong demand for accredited local providers. lgc.gov.lk+1 

• Banking & Finance: Banks prefer to keep core systems on-shore while running analytics and fraud detection in the cloud. 

• Healthcare: Protected health information requires local guardrails; hybrid models permit secure analytics for public health. 

• AI/Research: OREL integrates with partner stacks to support research institutions that require local data protection but global compute for model training. The Huawei Cloud Stack case for OREL shows a local hosted cloud stack that provides parity with public cloud APIs and services. Huawei Cloud 

9. Roadmap & Recommendations

Short Term (0–12 months) 

• Publish an OREL Sovereign Cloud Spec and an ATO package tailored to PDPA and Government Cloud Policy. 

• Obtain or publish relevant certifications and independent audit reports. 

• Onboard 2–3 pilot government/enterprise customers with clear KPIs. 

Medium Term (12–36 months) 

• Participate in the government sovereign cloud consultations and offer accredited “sovereign zone” services. 

• Expand partner integrations with at least two hyperscalers for hybrid bursting and PaaS access. 

• Offer sector templates (health, finance, education) for rapid deployment. 

Long Term (36–60 months) 

• Operate certified sovereign cloud zones for national critical workloads; be a core participant in the National Data Exchange architecture. 

• Support a national marketplace for compliant hybrid services to accelerate government procurement and SME adoption. 

10. Risks, Mitigations & Key Performance Indicators (KPIs)

Top Risks & Mitigations 

• Regulatory change or ambiguity: Maintain flexibility, open dialogue with DPA/ICTA, and provide adaptable contractual terms. mode.gov.lk+1 

• Vendor lock-in: Use API parity, containerization, and a multi-cloud orchestration approach. 

• Connectivity/continuity: Build multiple international links, edge cache, and local redundancy. 

• Security incidents: Continuous monitoring, third-party pen tests, and incident readiness aligned with PDPA timelines. 

Recommended KPIs 

• Time to provision a PDPA-compliant sovereign workload (target: ≤ 30 days). 

• Uptime per SLA tier (e.g., 99.9% / 99.95%). 

• Mean time to detect (MTTD) and mean time to respond (MTTR) for incidents. 

• Latency percentiles for citizen services (p50, p95). 

• Number of government/enterprise tenants onboarded to sovereign zones.

11. Conclusion

Sri Lanka’s national priorities—data protection, resilient public services, and digital innovation—point clearly to hybrid cloud as the architecture of choice. OREL IT combines local sovereign hosting, transparent commercial models, managed security capabilities, and strategic partner integrations to deliver a hybrid backbone that meets legal, technical, and operational demands. By aligning product offerings to PDPA and government cloud standards, publishing compliance artefacts and participating in sovereign cloud frameworks, OREL IT can be the trusted partner that builds Sri Lanka’s digital backbone. 

12. References & Links

The following sources were used to prepare this whitepaper. They include government policy, legislation, OREL IT public materials, partner case studies and news coverage. 

1. OREL IT — Official website/company & services pages.
   https://orelit.com/ OREL IT 

1. OREL Cloud — product page and OREL Cloud details.
   https://orelit.com/orel-cloud-shaping-the-future-of-it-in-sri-lanka/ OREL IT+1 

1. OREL Cloud (infrastructure specs/marketing).
   https://www.orelcloud.com/ OREL CLOUD 

1. Huawei Cloud — OREL IT case (Huawei Cloud Stack hosted in Sri Lanka).
   https://www.huaweicloud.com/intl/en-us/cases/orelit.html Huawei Cloud 

1. Personal Data Protection Act, No. 9 of 2022 (Parliament PDF).
   https://www.parliament.lk/uploads/acts/gbills/english/6242.pdf Parliament of Sri Lanka 

1. Data Protection Authority (DPA) — guidelines and public consultations (PDPA directives).
   https://www.dpa.gov.lk/ (Guidelines & drafts). dpa.gov.lk+1 

1. Government Cloud Policy — final/official PDF (“Policy for the Adoption of Cloud Services by Government Organizations”).
   https://mode.gov.lk/assets/files/Government_Cloud_Policy_1.14_Final-fe327cb516d93b260651e64e8ab9705b.pdf mode.gov.lk 

1. ICTA — Lanka Government Cloud (LGC 2.0) and government cloud resources.
   https://lgc.gov.lk/ and https://www.icta.lk/projects-si/lanka-government-cloud-2-0 lgc.gov.lk+1 

1. ICTA — draft Government Cloud Policy (public consultation versions).
   https://www.icta.lk/icta-assets/uploads/2023/11/government-cloud-policy_1.12.pdf icta.lk+1 

1. News: Government sovereign cloud planning & consultations (Ada Derana; BiometricUpdate). 

1. Ada Derana article — Sri Lanka govt’s digital transformation plans include sovereign cloud. https://www.adaderana.lk/news/106164/sri-lanka-govts-digital-transformation-plans-include-sovereign-cloud. Ada Derana+1 

1. BiometricUpdate coverage — ICTA public consultations on Sovereign Cloud Strategy. https://www.biometricupdate.com/202507/sri-lanka-wants-feedback-on-sovereign-cloud-strategy. Biometric Update 

1. Additional legal/regulatory commentary on Sri Lanka’s data protection landscape (DLA Piper overview).
   https://www.dlapiperdataprotection.com/index.html?c=LK&t=law DLA Piper Data Protection