Co-authors: Andrew Kirkland – CyberTAN CEO, Kurt Hagerman – Armor CISO
The race is on. Adopting cloud is fast becoming a critical consideration for increasing competitiveness and profitability. “Ignore it at your peril”, some will say. There may be a lot of truth in keeping up with the fast-paced technological advancements, but there is one question holding many South African companies back. Is the cloud secure?
The answer to this has already raised many eyebrows, caused many brainstorm sessions, and created more confusing options than answers. This is especially true for South African businesses. The challenge is that we are not yet well educated on the matter. Research has already indicated that there is a vast gap between SMME’s and enterprises’ understanding of cloud and cloud security.
The cloud and the corresponding security debate has been persistent for quite some time. In my opinion, yes, it is secure, depending on a few key factors. First, it is important to note what you are mostly concerned about in the context of how the cloud will be utilized. What’s driving you to make this change? Is it competitiveness, cost efficiencies, lack of skills, regulations, etc. In this context, there will be a starting point as to what it is you are looking for and establish criteria needed for considering a security strategy to address this need. The more time you spend thinking and analysing the more you’ll find that there are a range of confusing choices.
Regulation and Compliance
When throwing regulation and standards into the mix, it becomes ever more complex. This translates to more brainstorm sessions and extensive additional planning. And, compliance adds an additional hurdle to this conversation. We need to explore these regulations and ascertain whether using cloud will hinder or assist in this process. It’s how you approach it that matters. Using a cloud service and expecting it to be secure is negligence magnified. You can’t simply assume that all cloud services include the security you will require. Rather than trying to address the myriad regulations that may apply, I want to touch on South Africa’s POPIA (Protection of Personal Information Act).
Many don’t know what it is or don’t know what it means to them. Where do you start? Some say, “When it matters then I’ll address it” – much like buying insurance – I don’t need it until something happens and then I’ll need it when it’s too late. I believe this kind of thinking can get you into serious hot water. Like GDPR in the UK, we expect POPIA to be active in early 2018 and when this happens companies will only have 12 months to comply.
This raises a few questions such as– how far are you along in preparing your organization for POPI? Have you identified the resources you need to address this? Have you considered Condition 7: Security Safeguards carefully? Most importantly, however, is gaining a full understanding of how POPI will impact your business. The good news is that there is plenty of valuable information in this regard available online, so the time to get started if you haven’t already is now!
Security and Privacy Guidelines
Condition 7 of POPIA essentially states that a responsible party must secure the integrity and confidentiality of personal information under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, and unauthorised access to or processing of personal information. To facilitate this, the responsible party must take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information, establish and maintain appropriate safeguards against the identified risks, regularly verify that the safeguards are effectively implemented, and ensure that the safeguards are continually updated based on newly identified risks.
Now back to the original question – is the cloud secure? The short answer is yes, it can be, and it can actually be easier to secure than your own on-premise facilities. The first thing you need to understand is that despite much of the marketing speak you will read, no cloud provider can make you fully compliant. Security in the cloud is a shared responsibility between you and the provider.
Utilising a secure cloud service can make it much easier for you to meet these obligations as they have likely already considered many of the risks inherent in processing PHI over the internet and included security controls designed to mitigate these risks. Another value is your ability to place your data in a new, more easily defined and controlled environment. Often organisations’ internal networks are unorganized having evolved over time making it very difficult to identify and then isolate the sensitive data from everything else. Moving these workloads to a secure cloud allows you to “start over” and ensure that you have it well locked down.
There are other benefits to using a cloud service as well. Don’t be afraid to take a look at how the cloud could help you secure your sensitive data and meet your regulatory requirements. We’ll be talking more about this at a live event in Johannesburg (possibly Cape Town as well) in early September with a few interesting announcements that may help you. Watch this space!