The spectre of Protection of Personal Information Act 2013 (PoPI) looms ever closer, and while some companies will see the new regulation as something of a headache as they work to get their data management procedures in order, the threat of serious sanctions for those failing to comply gives a new perspective on the importance of data security.
Those who want to see the bright side of this situation will view the upcoming regulation as a chance to get their cloud in order. And for cloud providers, PoPI serves as a vital opportunity to differentiate from competitors by offering a watertight solution to data security.
Forcepoint regional manager: sub-Saharan Africa, Christo van Staden, says that while much of the new regulation will be a fairly straightforward evolution – or hardening – of existing processes, it will still represent a new challenge for companies with small IT teams or whose expertise doesn’t lie in data security.
In the past, it was easy enough to outsource data management. However, PoPI will require an added level of trust for those companies outsourcing the storage and processing of sensitive data they hold on individuals.
“If a serious breach occurs at your third-party data processor, for instance, you need to be able to trust that they’ll inform you promptly and work with you to fix the problem,” he explains.
Needless to say, with the stakes increased by PoPI, some businesses will be more wary about which third-party suppliers they choose to bring in. They’ll have to ask their suppliers tough questions, and should receive transparency in response. This isn’t an opportunity for data processors to pull the wool over their customers’ less-experienced eyes.
This is particularly the case for companies looking to transfer their data management to a cloud-based solution – whether it’s PoPI that prompted them to seek a more secure, flexible solution or not.
“Funnily enough, in the early days of cloud computing, security was seen as the solution’s weak point – and organisations would prefer to keep their data, applications, and infrastructure on premises,” he adds.
Today, however, that thinking has come full circle. Cloud traffic is growing rapidly – with an expected three-times increase in the years from 2016-2021. People who trust public cloud now outnumber those who don’t by a ratio of 2-to-1, according to a recent Intel security report.
These projections, though, don’t make the process of transferring and securing data in the cloud any less daunting for those organisations yet to make the leap.
For companies that haven’t yet made the move, it’s often an issue of control that holds them back. This is particularly the case if they’re used to being able to apply specific protocols and hashing algorithms to their on-premise infrastructure. Moving to cloud provision, and provision via a third party, can feel like losing control.
Additionally, there can be an issue of even knowing where your important data lives (pretty key if one plans on transferring it elsewhere). In their current on-premise model, companies might not know exactly what data is where and how it should be classified.
What is the information handling procedure for any given document, image, or program code repository? Which database holds your current customer dataset?
Van Staden says once you’ve located and gathered all the data to be transferred, you need to consider how to move all of it securely – and be clear on whose responsibility it is to ensure the cloud storage destination is already secure.
Multiple recent reports have highlighted the potential dangers of misunderstanding this process.
“Needless to say, cloud service providers have a role to play here. Of course, they’re there to provide data inventory tools and services to help fingerprint and hunt for data in customers’ networks, and to encrypt data for secure transfer (you haven’t gone to all the hard work of locating your data only to send it over the internet without encrypting it) – but there’s important work to be done before this too,” he says.
Cloud service providers have a responsibility to be transparent with their customers. When a business is going through a procurement process and requesting information to help them figure out which provider to choose, the onus is on the cloud provider to be absolutely honest about what they can and can’t do. The stakes are simply too high to behave in any other way.
This is where the trust relationship begins: the first job of a security specialist is to help potential customers make informed decisions about how to keep their data safe (and within the bounds of PoPI).
“At Forcepoint, we’ve set up a cloud trust programme within our business so we have the ability to instil confidence in our clients. It’s aimed at ensuring not only that our company is being assessed for all of the most valuable certificates and accreditations available from industry bodies, but that our customers are able to check that we have earned those certificates to the extent that we’re claiming. We consider this programme essential to our customers and ensuring they are PoPI compliant,” he concludes.
Ultimately, PoPI is a response to the increasing prevalence and significance of sensitive data to the functioning of our businesses. And security is arguably the most important aspect of all.
IT managers should be taking PoPI as their cue: failing to get your cloud security in order now could result in devastating consequences in the not-so-distant future.