Industry News
Government IT Modernisation: Legacy to Secure Cloud
05 March 2026 · 0x1m3 · 6 min read
The Modernisation Imperative
South African government departments and state-owned entities operate some of the most complex IT environments in the country. Decades of investment in on-premises infrastructure have created sprawling estates of legacy systems, proprietary applications, and ageing hardware.
The pressure to modernise is intensifying. Cybersecurity threats targeting government infrastructure are increasing in frequency and sophistication. The skills shortage in the public sector makes maintaining legacy environments unsustainable. And citizens expect digital services that legacy systems cannot deliver.
But government IT modernisation is not the same as private sector cloud migration. Sovereignty requirements, regulatory constraints, and the realities of air-gapped networks mean the path forward requires a different approach.
The Challenges Unique to Government
Data Sovereignty
The Minimum Information Security Standards (MISS) framework and POPIA impose strict requirements on where government data may be stored and processed. Sensitive and classified information must remain within South African borders — and in many cases, within government-controlled infrastructure.
This rules out most global cloud offerings in their default configurations. Government departments need cloud providers with South African data centres and compliance certifications that meet MISS requirements.
The SITA Act
The State Information Technology Agency (SITA) Act governs IT procurement and service delivery for government. Departments must navigate SITA's processes and frameworks when procuring technology solutions. This adds procurement complexity but also provides a structured path for technology partners who understand the process.
Cybersecurity Skills Shortage
Government competes with the private sector for cybersecurity talent — and consistently loses. Salaries, working conditions, and career progression in the public sector cannot match private sector offerings. The result is chronic understaffing of IT security teams.
This makes solutions that automate security operations — detection, response, patching, monitoring — essential rather than optional.
Legacy Citrix Environments
Many government departments have long-standing Citrix deployments for application delivery and virtual desktops. With Citrix's License Activity System (LAS) migration deadline of 15 April 2026, departments must transition to new licensing models or risk non-compliance.
This deadline creates both urgency and opportunity. Departments upgrading their Citrix licensing can simultaneously modernise their application delivery infrastructure.
Solutions for Government Modernisation
On-Premises Citrix CVAD for Secure Environments
Citrix Virtual Apps and Desktops (CVAD) remains the standard for application delivery in government environments that require on-premises deployment. For classified networks, air-gapped environments, and facilities where cloud connectivity is restricted, CVAD delivers applications securely without external dependencies.
OAS, as a Citrix Platinum Partner, has deployed and managed government Citrix environments for decades. The LAS migration deadline is an opportunity to modernise these deployments — upgrading to current versions, consolidating infrastructure, and improving performance — while maintaining the on-premises control that government mandates.
Azure South Africa for Government Cloud
Microsoft Azure operates two South African regions: Johannesburg (with Availability Zones for high availability) and Cape Town. These regions provide government-grade compliance certifications and ensure data remains within South African borders.
Azure South Africa enables government departments to adopt cloud services — compute, storage, identity management, and analytics — without compromising data sovereignty. For departments ready to move workloads to cloud, Azure SA provides the platform. For those not yet ready, hybrid architectures allow gradual migration at the department's pace.
Offline-Capable Endpoint Protection with SentinelOne
SentinelOne provides endpoint detection and response (EDR) that operates autonomously — without cloud connectivity. This is essential for government environments with restricted or intermittent internet access.
SentinelOne's behavioural AI detects and responds to threats on the endpoint itself. When a device is compromised on an air-gapped network, SentinelOne isolates the threat and remediates it locally. No cloud call required. No dependency on external infrastructure.
Data Protection with Sovereign Storage
Cove Data Protection provides encrypted cloud backup with data centres in South Africa. Government data stays in-country, meeting MISS and POPIA requirements for data sovereignty.
Cove protects servers, workstations, and cloud workloads with automated backup schedules and granular recovery. In a ransomware event — an increasingly common threat to government entities — Cove ensures recovery without data loss and without ransom payment.
Compliance Logging with Splunk
Splunk centralises log data from across the entire government IT environment. It provides compliance dashboards aligned to POPIA, MISS, and National Archives Act requirements.
For departments facing audit by the Auditor-General or compliance reviews by the Information Regulator, Splunk produces the evidence. Access logs, change records, incident timelines, and security posture reports — all from a single platform.
Multi-Department Management with N-able
N-able provides remote monitoring and management (RMM) across departments, facilities, and geographic locations. From a single console, IT teams can monitor device health, deploy patches, enforce security policies, and manage assets across the entire estate.
For government IT teams that are understaffed and overextended, N-able automates the routine work that consumes 80% of their time — freeing resources for strategic modernisation projects.
A Phased Approach to Modernisation
Government IT modernisation does not happen overnight. A phased approach manages risk while delivering incremental value.
Phase 1: Secure the current environment. Deploy SentinelOne across all endpoints. Centralise logging with Splunk. Implement automated patching with N-able. This addresses immediate security gaps without disrupting operations.
Phase 2: Modernise application delivery. Upgrade Citrix CVAD deployments ahead of the LAS deadline. Consolidate legacy application silos. Improve user experience for government employees who depend on these systems daily.
Phase 3: Adopt cloud selectively. Move suitable workloads to Azure South Africa. Start with non-sensitive services — email, collaboration, analytics. Maintain on-premises infrastructure for classified and sovereignty-restricted systems.
Phase 4: Optimise and scale. With security, application delivery, and cloud foundations in place, expand cloud adoption as confidence and capability grow. Use Splunk analytics to drive continuous improvement.
Why OAS for Government
OAS has served South African organisations — including government departments — for over 40 years. As a Citrix Platinum Partner based in Johannesburg, OAS understands the regulatory landscape, procurement processes, and operational realities of government IT.
This is not theoretical. OAS has a proven track record of deploying enterprise-grade infrastructure in environments where security, sovereignty, and reliability are non-negotiable.
Next Steps
Modernising government IT requires security, sovereignty, and a partner who understands both. That's OAS.