POPI and the hidden costs of compliance
Data security needs to follow sensitive data throughout its entire data life cycle management process, from capture through to disposal, says Craig Moir, MD of MyDBA.
Protecting personal information that is under the custodianship of an organisation is not a simple matter of purchasing the right data security software product and implementing it. Suitable software is going to be a big expense of course, but there are a number of other costs that will need to be considered and budgeted for as well.
Here are some of my thoughts, says Craig Moir, MD of MyDBA.
Data life cycle management
One primary issue which may not be immediately apparent is that data security needs to follow sensitive data throughout its entire data life cycle management process, ie, from capture through to disposal. During the life cycle of sensitive data, it is likely to flow through different systems in different formats and on different platforms and storage mediums. Sensitive data could also morph between structured and unstructured formats within its life cycle and could essentially reside and move between any one of the usual OLTP, data warehousing, archiving, document servers and big data environments.
No matter where the sensitive data resides, access rights to this data needs to be managed in each phase. Monitoring and reporting is required at all times, particularly for unauthorised access.
Breach notification should not only focus on sensitive data in its operational phase, but through all phases from the capture event right up until the discard event. Protecting sensitive data throughout the DLM process will no doubt require a variety of security product sets along with multiple skill-sets, thereby increasing the cost of compliance.
Sensitive data may also reside in many disparate places, such as on-premises, in the cloud and at hosted service providers. Hybrid configurations are not uncommon either, as organisations start adopting the cloud. With the array of options and services available today, it can be very difficult for organisations to know where their sensitive data is actually residing and who exactly has access to it.
Making use of services or service providers does not absolve an organisation from the responsibility of taking adequate measures to protect sensitive data in their possession. An organisation must have strict control over access to sensitive data across its entire systems landscape. This significantly complicates security and the management of sensitive data and will once again result in the need for multiple security products from multiple vendors, along with the additional resources and skills required to understand, implement and manage data security for such complex environments.
Monitoring security alerts
To add to the already monumental task facing organisations, security breaches need to be identified as soon as possible, meaning sensitive data access monitoring and alerting needs to be reviewed continuously.
Suspicious activity may not be immediately obvious, and being able to identify it from legitimate activity, exceptions and false positives could be a complex task requiring detailed investigation. The quicker a breach is detected, the quicker an organisation can curb the data loss and limit the resulting potential for reputational damage and financial loss. If this reporting goes unmonitored, data breaches might only be detected months or even years later.
But, once again, there is a cost to this, as an organisation will require resources with suitable knowledge, understanding and experience to monitor and analyse this data. This is probably as yet an undefined and non-existent role within most organisations in South Africa. These roles will have to be created and appropriately staffed. Obviously, organisations' data access policies need to be properly and sufficiently defined, otherwise it will not be possible to distinguish legitimate activity from unauthorised activity.
Organisations are often resistant to implementing security measures for their 'super users', system admins and database admins. The reasons often being cited for this is that they are highly trustworthy and they need unrestricted access to easily diagnose and fix problems. This may well be so, but 'trust' has certainly never prevented a data breach before. Hacking is often considered to be an 'outside' threat and therefore securing highly privileged internal accounts is deemed restrictive and unnecessary. However, people fail to realise it is these very 'super user' accounts that are targeted by hackers first. Trusted employees come and go, or an event may turn a trusted employee into a disgruntled employee. This is a serious threat to an organisation, and to mitigate this risk, they should adopt a 'least trust' model or even a 'zero trust' model for inside security. Implementing such stringent policies may be considered an affront to their trustworthiness by some employees, but ultimately, 'trust' cannot form any part of a security strategy and there will be a tangible cost to eliminate it.
Insider threat is probably one of the biggest problems facing organisations today and this threat is significantly increased when segregation of duties is not enforced. Traditionally, South Africans have a hard work ethic and will often do the job of more than one person, thereby creating a distinct overlap of duties. From experience working abroad, it is noticeable that overseas companies have rigidly defined job descriptions and employees are not allowed to cross these lines. This is generally not the case in South Africa. Naturally, any overlap of job function inevitably creates a conflict of interest and a potential security risk. Remedying this would require having all job functions clearly defined, identifying and removing conflicts of interest and then enforcing these policies through proper security products. Enforcing segregation of duties will mean organisations will have to employ additional resources, ultimately increasing the cost of compliance.
Existing bespoke applications might need modifying in order to be security 'aware', while new application development will need to take into consideration security features to protect sensitive data. This will increase the cost of development, maintenance and integration of new and existing systems.
Some security features most likely to be required by applications are redaction, dynamic data masking, tokenisation and encryption.
Incidence response, fixes, new releases
As important as security is, so is the ability of applications and systems support personnel to quickly identify and fix problems when things go wrong. The tighter the security gets, the more restrictive this becomes. This will most certainly affect error resolution times. In addition to this, the ability to make changes and implement new releases will also be significantly impacted by stringent security.
Naturally, there will be a cost increase that will accompany the increase in complexity and time required to resolve problems or implement changes. These costs could be in the form of loss of revenue and/or customer satisfaction, increased overtime and employee dissatisfaction.
In summary, there is a possibility of a widespread impact within an organisation as a result of their effort to become compliant with the protection of personal information legislation, and there might be a much larger bill attached to compliance than expected.