A key security concern facing organisations today is not whether the cloud platforms they use are secure, but whether their cloud environments are being governed, configured and operated in a secure and compliant manner.
This is according to Muzi Langa, MD of ManTK IT Solution, a specialist IT security and services provider.
Langa says: “Local organisations are increasingly moving mission-critical systems to the cloud, but in doing so, many are increasing their cyber risk profiles and compliance risks.”
Mitigating misconfiguration risks
One major risk factor is misconfigurations that leave systems and data exposed, he says.
“Cloud environments are highly configurable. There are so many options, and this is both a strength and a weakness because we often see publicly exposed storage, permissive firewall rules and insecure APIs that create vulnerabilities through a lack of authentication controls or excessive permissions. This is often an awareness issue – many of the misconfigurations that we see are very easy to fix, but the organisation was not aware that that asset was publicly exposed,” Langa says.
“Because the environment is so complex and dispersed, manual security reviews are no longer sufficient to address these risks. Security must be automated and embedded into the cloud operations model through cloud security posture management, infrastructure as code, continuous monitoring and automated remediation,” he says. “Security teams must shift left, working alongside cloud engineers to proactively prevent risks rather than reacting after an incident has occurred. You also need continuous monitoring and continuous management of the environment.”
Compliance and data sovereignty
Langa says compliance is top business priority, with most organisations expressing concern about where data in the cloud will be hosted and processed.
“Compliance remains a key concern for South African organisations handling personal or sensitive data. The POPIA Directive requires that organisations implement appropriate technical and organisational measures to protect that personal information, regardless of whether the data is processed on-premises or in the cloud,” he says. “So the questions organisations need to ask are not only about where the data is stored and where it's processed, but also whether it's protected adequately in its different states. They need to understand whether it is protected with the same level of security in full storage and when it's sent from a user's device to the cloud, or from that cloud to the user's device. They must know whether all encryptions are in place and how they are enforced, how access controls are enforced and whether those access controls are aligned with data classification.”
Langa says organisations should be able to audit and track who accessed the data, right down to what time they accessed the data and what they did with the data. “That’s where audit logging becomes another regulatory data point that needs to be addressed,” he says.
Langa adds: “Governance and compliance in the cloud is not a one-off project, but it should be an ongoing assurance activity with continuous visibility and governance. This is even more crucial as generative AI makes its way into the workplace and users process internal data using unmanaged or unsanctioned generative AI tools.
“ManTK IT Solution consulting and solutions help organisations address technical and compliance risks in the cloud to enhance their business resilience,” he concludes.
Share