Security, compliance, PoPI and COVID-19

Remote workforce productivity is affected by a plethora of factors – and now businesses have to take PoPIA compliance into account, adding to the complexity.

Neil Thacker, CISO for EMEA at Netskope, says, “Prior to COVID-19, some organisations had already moved their traffic flow to the cloud, others had plans in place for 2021, but for the remainder, COVID-19 made them realise that they needed to fast-track digital transformation.”

Organisations don’t know when life will return to normal – if ever. The economic fallout of COVID-19 is already evident. To survive, companies are looking at how they can adopt more services digitally, moving to infrastructure-as-a-service, but all of this accelerated transformation introduces a layer of risk that can only be countered by placing more focus on secure configuration, while the ability to support remote workers, run operational effectiveness and ensure visibility is key.”

Zea Silva, Key Account Manager for CyberTech a division of Altron

Zea Silva, Key Account Manager for CyberTech, a division of Altron, says that in order to have a secure remote workforce, organisations need to focus on getting control and visibility over what employees are sharing, how they connect and how they behave, regardless of where they work.  Silva predicts that the longer employees work from home, the greater the adoption these security solutions will be even long after the pandemic. 

Silva says “The COVID-19 lockdowns around the world have seen a surge in the use of collaboration tools. One of the biggest stumbling blocks for remote work is ensuring employees do not compromise the organizations data by unknowingly sharing data in an unsafe manner. 

Thacker comments: “We’ve seen companies go from 20 000 to 200 000 connections to a collaboration tool virtually overnight. Bottlenecks quickly became apparent. Firstly, those sorts of numbers just weren’t sustainable with an on-premise approach.”

Securing the cloud

As remote workers started adopting Webex, Zoom, Skype and other collaboration tools to do their jobs, organisations had to figure out how to allow employees to use the tools that their customers were asking for. How do you secure a cloud-based service? The answer lies in changing user behavior and coaching and guiding users, says Tinus Janse van Rensburg, Regional Manager for Netskope  

Previously, the security team would just block those applications, but that’s just not possible anymore. Instead, they have to apply controls and allow usage, but each tool can’t have its own control, that would be a nightmare to manage, so you need general policies that apply to all collaboration tools around what data can be shared. It shouldn’t matter what the tool is, the aim is to control and protect the data. Thacker says, “It’s a balancing act of what you allow and how you control it.”

Silva adds, “One of the big challenges we noticed immediately was that many organisations just didn’t have the skill sets to allow them to scale quickly to the levels that they needed to, not to mention the general shortage of cyber security skills.”

“When applications sat inside a network, and all the managed devices were also inside the network, everything worked just fine,” continues Janse van Rensburg. “However, when you take into account BYOD, user control moves outside the organisation’s control plane. Then you bring in the cloud, with applications and technologies that were historically deployed in a corporate environment being offered as a service in the cloud. Now you have the end user and the applications that they use outside the traditional perimeter.”

The majority of IT spend has always been on technology providers and organisations trying to force a control point inside a fixed infrastructure. The secure access service edge (SASE) model put forward by Gartner moves it out of their control. How do you control something you have limited visibility over? The SASE model allows this to be applied to the user wherever they go, regardless of their location.

PoPIA comes into play

Adding to the data management complexity is the Protection of Personal Information Act, or PoPIA, which was implemented as of 1 July 2020, with companies having a year to comply. Thacker says the Act is a good thing, as it unifies data protection across the globe, enabling South Africa to do business with other countries, such as the European Union, for instance.

He advises that each organization go through the PoPI Act and review what it means to their business. “There are three key takeaways from an information security and data protection perspective. You’re required to know what information you have, where you process it and how you process it, including which cloud servers you’re using and where the data is being stored, in South Africa or offshore. 

“Secondly, businesses need to accept that POPIA compliance is necessary and that breaches not only need to be reported, but they will also attract fines and the possibility of reputational damage. The upside of POPIA is that compliance can make businesses more streamlined and efficient. The retention period enables organisations to dispose of older data in a compliant manner.  

“Finally, it’s vital to create awareness in the organization by educating employees and ensuring that they don’t upload data that contains personal information to a public cloud. This type of information should only be going to places where there is an undertaking to protect that data.”

The solution

Janse van Rensburg says to counter all of the abovementioned challenges, a behavioral change is required. “Instead of using a blanket block and deny access approach, users need to be coached. So if the user tries to share personal data over a public cloud platform, they have to provide a motivation before they can submit it or choose another method of sending that data. So we’re advocating a shift from a block and deny approach to a notification and information approach.”

“You need to have a log that shows that you offered education to the employee, yet they decided to continue. There has to be proof that you applied reasonable technical and organizational measures. This type of record is key evidence in the event of a breach.”

“It’s all well and good to have policies in place to help the business be compliant, but you need to enforce those policies and provide control using technology,” he points out.

Thacker agrees, saying, “That’s where technology and organisational measures have to be aligned. Data classification is great, but not all organisations can apply that to all levels of information, the business needs to be able to identify personal information. PoPIA has a number of statements around responsibilities, so if someone is putting up a list of 100 customers into a system, the organisation must have a record of that data being passed on. This is where categorization is key. You need a list of all systems and the category of data being stored there.”

Silva says the answer is to have policies, full visibility and in line capabilities. “These three things are key and in big demand currently because it means you can apply policies effectively everywhere the user travels. Instead of directing traffic to the datacentre before connecting out to the Internet, why not just connect directly to the application instead? You can apply the analytics to the traffic in its natural path instead of directing the traffic to the analytics, which will improve performance. The Internet wasn’t designed for this type of collaboration and connectivity, so why not direct traffic through a platform that is designed for this, without adding latency to the process? It means employees get a faster response, they can work more efficiently, and don’t have applications that don’t respond, network performance is increased, and security controls are applied.”

CyberTech, a division of Altron offers Managed Security Services from SOC (Security Operations Centre) to Vulnerability Management. This is no different for CASB (Cloud Access Security Broker) Services as covered in this article. Silva adds “We offer this on a MSSP model ensuring organizations only pay per use on a monthly basis.