Story image

Enterprise database security the answer to complying with the POPI Act

09 Nov 2017

Three weeks ago Australian web security expert Troy Hunt revealed on Twitter that the personal information of more than 30 million South Africans had been leaked online.

This is the biggest breach of personal information in the country’s history.

This breach has made the public, and enterprises more aware than ever of the protection of personal information and the POPI Act, or Protection of Personal Information Act.

The POPI Act was signed into law in April 2013, but the South African Information Regulator, the body responsible for implementing the Act and monitoring its implementation, has indicated that the Act will only be in full effect in early 2018.

This Information Regulator was only chosen in December 2016, three years after the Act was signed in.

Companies in South Africa are aware of the POPI Act, as is evident from a 2015 Grant Thornton’s International Business Report (IBR) where 91% of businesses surveyed said they would implement the Act.

In 2016 however, the same report revealed that only 25% of the companies saw cyber attacks on personal information as a current threat. This lack of attention provided to cyber attack security can expose companies to the information breach Hunt discovered.

Most enterprises trading in the tech and online sphere rely heavily on customer information as enterprise data for a number of services.

According to the POPI Act, when personal information is collected the person from whom the information is being collected must be made explicitly aware of the purpose for which the data will be used.

The data collected may also only be used by the company for an activity or function which relates to the company and its business.

Companies can comply with this regulation by adding text to their website where personal information such as date of birth or credit card details is asked for.

This text should state how the company will use the required information. This can be the first, very effective step in protecting an online company.

Another important condition of the POPI Act is the safeguarding of the personal information collected.

According to Condition 7 of the Act, companies need to determine whether there are any possible internal or external risks to the information collected and also foresee any future threats.

One way this can be done is by implementing security regulations such as using changeable passwords to information databanks or login details to the backend of online store databases.

Ensuring that spreadsheets with this personal information are access controlled using passwords is another way to ensure the safety of the information.

There are, however, a great number of other regulations in the POPI Act as well. This can become overwhelming and expensive. Companies can also protect their enterprise data and thus comply with the Act, through making use of database security tools.

The relational database management systems (RDBMS) most commonly used by companies are not always sufficient to protect online companies against all possible security breaches.

According to senior security strategist and CTO at Securosis, Adrian Lane, the extensive problem companies are facing is the security of sensitive customer information across a number of different databases.

“Single platform products don't play well when an enterprise has sensitive information in many types of databases,” says Lane.

Traditionally, these RDBMS do not always have the capacity to secure all of these databases at the same time.

Unfortunately, enterprise data collected from customers is only valuable to a company if it can be used and enable collaboration between departments and teams.

 On their Windows IT Pro Center website,  Microsoft warns of two extremes - where either access is given to everyone without any security or having only one user with access, which can in itself cause a bottleneck effect.

These and other potential security flaws pose a potential breach of information and effectively the POPI Act.

For this reason, it is worth companies investing in a good enterprise database security systems and also employing someone who is directly responsible for this security, as is required by the POPI Act.

The initial investment of both time and money into these security systems might be overlooked by 75% of companies in the IBR Report, however, the value of protecting both the company and customers in the future is an investment worth making.

UK IT decision makers more concerned about Brexit than GDPR
When it comes to data sovereignty, UK businesses are less prepared and thus more concerned for what Brexit will bring.
Q&A: Aruba manager on imminent data centre challenges
Aruba's Alessandro Bruschini shares his thoughts on booming demand for data centres and the growing obstacles bolstered by regulation and energy efficiency requirements.
Interview: Next steps needed in data centre energy efficiency
SPIE UK's Peter Westwood shares what needs to be done to make the vision of a data-driven world more sustainable.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
APAC holds largest installed base of storage capacity
"The Global StorageSphere is large and diverse, encompassing many different storage technologies, and growing rapidly."
IBM opens up Watson to run on anything, anywhere
Big Blue has made Watson portable across any cloud with the goal to empower businesses to prevent vendor lock-in and start deploying AI wherever their data resides.
Dell EMC’s new and improved data management capabilities
The company has made updates to its All-Flash storage system and released the ClarityNow software for data management.
Four ways the technology landscape will change in 2019
Until now, organisations have only spoken about innovative technologies somewhat theoretically. This has left people without a solid understanding of how they will ultimately manifest in our work and personal lives.