dcn-eu logo
Story image

Enterprise database security the answer to complying with the POPI Act

Three weeks ago Australian web security expert Troy Hunt revealed on Twitter that the personal information of more than 30 million South Africans had been leaked online.

This is the biggest breach of personal information in the country’s history.

This breach has made the public, and enterprises more aware than ever of the protection of personal information and the POPI Act, or Protection of Personal Information Act.

The POPI Act was signed into law in April 2013, but the South African Information Regulator, the body responsible for implementing the Act and monitoring its implementation, has indicated that the Act will only be in full effect in early 2018.

This Information Regulator was only chosen in December 2016, three years after the Act was signed in.

Companies in South Africa are aware of the POPI Act, as is evident from a 2015 Grant Thornton’s International Business Report (IBR) where 91% of businesses surveyed said they would implement the Act.

In 2016 however, the same report revealed that only 25% of the companies saw cyber attacks on personal information as a current threat. This lack of attention provided to cyber attack security can expose companies to the information breach Hunt discovered.

Most enterprises trading in the tech and online sphere rely heavily on customer information as enterprise data for a number of services.

According to the POPI Act, when personal information is collected the person from whom the information is being collected must be made explicitly aware of the purpose for which the data will be used.

The data collected may also only be used by the company for an activity or function which relates to the company and its business.

Companies can comply with this regulation by adding text to their website where personal information such as date of birth or credit card details is asked for.

This text should state how the company will use the required information. This can be the first, very effective step in protecting an online company.

Another important condition of the POPI Act is the safeguarding of the personal information collected.

According to Condition 7 of the Act, companies need to determine whether there are any possible internal or external risks to the information collected and also foresee any future threats.

One way this can be done is by implementing security regulations such as using changeable passwords to information databanks or login details to the backend of online store databases.

Ensuring that spreadsheets with this personal information are access controlled using passwords is another way to ensure the safety of the information.

There are, however, a great number of other regulations in the POPI Act as well. This can become overwhelming and expensive. Companies can also protect their enterprise data and thus comply with the Act, through making use of database security tools.

The relational database management systems (RDBMS) most commonly used by companies are not always sufficient to protect online companies against all possible security breaches.

According to senior security strategist and CTO at Securosis, Adrian Lane, the extensive problem companies are facing is the security of sensitive customer information across a number of different databases.

“Single platform products don't play well when an enterprise has sensitive information in many types of databases,” says Lane.

Traditionally, these RDBMS do not always have the capacity to secure all of these databases at the same time.

Unfortunately, enterprise data collected from customers is only valuable to a company if it can be used and enable collaboration between departments and teams.

 On their Windows IT Pro Center website,  Microsoft warns of two extremes - where either access is given to everyone without any security or having only one user with access, which can in itself cause a bottleneck effect.

These and other potential security flaws pose a potential breach of information and effectively the POPI Act.

For this reason, it is worth companies investing in a good enterprise database security systems and also employing someone who is directly responsible for this security, as is required by the POPI Act.

The initial investment of both time and money into these security systems might be overlooked by 75% of companies in the IBR Report, however, the value of protecting both the company and customers in the future is an investment worth making.

Story image
Verizon launches international private 5G platform
Delivered in partnership with Nokia, the offering will enable businesses to deploy a private industrial grade dedicated 5G network capability within their premises. More
Story image
Aruba dreams big with two more data centres planned
ruba’s global data centre network is undergoing an expansion that will add two more facilities and upgrades to the company’s hydroelectric and photovoltaic plants in Italy.More
Story image
APAC region is creating its own 'data gravity' - Digital Realty
The Asia Pacific region generates so much data that it can generate its own ‘data gravity’ effect, attracting so much data that moving it becomes an almost impossible task.More
Story image
Megaport extends Oracle Cloud interconnect services
Megaport now operates 17 FastConnect onramps, including recent additions in Melbourne, Osaka, San Jose, Los Angeles, Chicago, London, and Zurich.More
Story image
HPE awarded $160 million contract to build supercomputer in Finland
The supercomputer, which is referred to as ‘LUMI’ by EuroHPC JU, will help European researchers and private and public organisations significantly advance R&D and drive innovation in areas such as healthcare, weather forecasting, and AI-enabled products.More
Story image
Global Switch extends leadership team with two new appointments
Global Switch has added more expertise and experience to the company’s senior management team with two new appointments, and states that this will support the company’s growth strategy and global expansion.More