SLAs - the onus is on you
A company can no longer shy away from the responsibility that comes with the security of customer data. Laws such as the recently passed Protection of Personal Information (POPI) act won't let them get away it, which means an organisation's service level agreements (SLAs) need to be water-tight. And many will be surprised to realise this doesn't just apply to cloud services.
"IT security remains the responsibility of the board and is delegated to the CIO/CISO, whether the IT services that you consume are in the cloud or not," says Pink Elephant's operations manager Andre van der Merwe.
He states that the SLA, which was traditionally used as an upfront, once-off static agreement on the requirements of IT security between the organisation and the cloud provider, is no longer a sustainable option and needs to fundamentally change. "It's extremely important that the SLA be regarded as a living document, if the organisation is to adequately safeguard its customers, and itself, against today's multiple threats to the protection of data.
This is especially true in light of the dynamic business and user requirements that have been accelerated with disruptive technologies like the Internet of Things (IoT) and Bring Your Own Device (BYOD). "These disruptive technologies have made it so that the SLA requires continual updating based on the latest technology within the South African landscape," Van der Merwe says.
According to many industry expert views at this year's ITWeb Security Summit, South Africa is increasingly becoming a target for cyberattacks. "Cloud providers are finding it more and more difficult to prevent, detect and correct a cybercrime. It's not possible for cloud providers to deliver an SLA that is granular enough to speak to business needs, including IoT, BYOD and other disruptive technologies. The SLA in itself has now become a critical IT security control," Van der Merwe adds.
Security in itself
Veeam's regional manager for Africa, Claude Schuck, believes being connected 24x7, using virtually any device, means businesses have to rethink their security strategy. "Let me put this into context with a simple example: take away an individual's smartphone for a minimum of four hours, and they will be lost, frustrated and feel completely unproductive; that is the reality of 24x7," he says.
The SLA in itself has now become a critical IT security control.Andre van der Merwe, Pink Elephant
He believes at the moment, security presents a massive pain point with companies and even countries at risk of being severely compromised by vulnerabilities and malicious users. "Being proactive around security becomes one of the most fundamental building blocks companies need to put in place," he says.
He believes the SLA, especially in terms of business continuity, is not simply defining uptime. Rather, attention should be shifted to what happens when there is a failure or disaster. After all, no service provider can guarantee complete uptime.
"When business continuity is needed, that is where the SLA comes into play. The business needs to decide which of its systems (and data) need to be available within minutes of going down. Prioritising data makes not only for a more cost-effective approach, but also guides the business through the process of understanding the important elements of its information," he says.
There are specific security opportunities that organisations can utilise in the modern datacentre. Virtualisation, for instance, allows technologies like a virtual lab to be used to leverage the data of the datacentre to avoid deployment risks and perform security tests in an isolated environment. "Compliance drives what needs to happen and, fortunately, with each security exploit and cases of companies being attacked making the news, there is an increasing awareness around the importance of security and data," he adds.
Respondents in the 2016 Veeam Availability Report stated that the average written SLAs for recovery time objectives (RTOs) in an organisation for its mission-critical and non-mission-critical applications are three and nine hours, respectively. "When it comes to South African respondents, the results were six hours for mission-critical applications and ten hours for non-mission-critical applications."
When it comes to the SLA, requirements change over time. Van der Merwe refers to the critical elements as the CIA of data: confidentiality, integrity, availability.
"Cloud computing has already started to evolve beyond availability, and into the IoT and all its ensuing data points that can be captured. The next phase of data management will be from the data profile stemming from IoT wearables and other smart devices," Schuck says.
Van der Merwe agrees that new technologies change the scope of the risk profile. "Technology is becoming smart, and no longer necessitates human interaction to connect to things. Where everything talks to everything, we sit with a case of digital spaghetti," he says.
The explosion of data has seen security taking on a new level of importance. "With everything being connected, all devices and even appliances are targets. In the world of the IoT, hackers can take over anything from televisions to fridges and even self-driving cars," says Schuck. However, this connected environment does not necessarily mean that organisations need to reinvent their SLAs and the rules around backup. "At its most basic, companies should have multiple copies of their data, keep it encrypted, and store it off-site wherever possible," he says.
Being proactive around security is one of the most fundamental building blocks.Claude Schuck, Veeam
In order to stay ahead of the risk that comes with new technologies, Van der Merwe cautions that companies will need to start thinking further than what they are used to.
"We are already living in the future with the connectedness of things around us. The need to have an effective disaster recovery plan in place is even more critical than before. But the amount of data that needs to be secured and included in such a plan means that companies have to examine the cost of losing data versus the fees they need to pay for an available environment," Schuck concludes.
This article was first published in the August 2016 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.