Is your cloud provider compliant?

Companies must scrutinise the technology and its provider to make sure it is up to standard with the security and compliance requirements, says John McLoughlin, MD of J2 Software.

Johannesburg, 06 Nov 2014
Read time 3min 10sec

Before investing in any new technology, an organisation must first establish whether that technology will meet the business' needs. Similarly, the organisation must scrutinise the technology and its provider to make sure it is up to standard with the company's security and compliance requirements.

One such example of this, says John McLoughlin, MD of J2 Software, a distributor of SkyView Partners' managed security solutions, is cloud computing.

"The business benefits of cloud computing are widely accepted and documented; however, whether or not cloud computing meets your business requirements is dependent on the type of data being stored, accessed, and shared in the cloud."

He cites the example of using the cloud to store personal information protected by laws such as POPI. "Before storing data that is extremely confidential or highly sensitive in the cloud, a business will want to examine the restrictions placed on this sort of information by its security policies. You should also thoroughly question the potential cloud provider to make sure they can meet your security and compliance needs."

Questions such as who has root access to the data, whether or not the administrators access the servers through encrypted sessions, what their patch management strategy is, and what security tools, such as anti-malware, do they have in place - are all vital, he adds.

McLoughlin also advises to ask whether the potential service provider's server configurations are in compliance with the relevant regulations, what password configurations are in place, and whether these can be adapted to meet your business' specific requirements. "To help mitigate against possible insider threat, the cloud provider should be able to identify and shut down the accounts used by any staff exiting the company, to ensure they no longer have access to any sensitive information."

Another point to bear in mind, he says, is how logging is performed and the duration for which any logs are retained. "Depending on the industry, most regulations stipulate a certain level of logging take place. The business' security policy may insist on the logging of various functions, such as failed log-in attempts and suchlike. A period of anywhere between one and seven years can be applicable.

"Businesses should also ask for details on the cloud service provider's network and security configurations. Targeted attacks are a frightening reality today, and hackers often gain access to a business network due to poor configurations. If that business happens to be your cloud provider, this could mean your most sensitive data could fall into a hacker's hands through no fault of your own. Cloud providers, because they store such massive volumes of data, are often targets for this type of attack, so make sure they have all appropriate controls in place. This is also true of denial of services (DOS) attacks. Your cloud provider should have measures in place to make sure they are prepared for this sort of attack, so that your business isn't negatively impacted."

In terms of data privacy, McLoughlin advises businesses to check their providers for any possible data residency issues. "Some countries have rules governing the storage of information, and insist it remains within the country's borders. Cloud providers often store data across several countries and locations, so ensure that this will not cause you to fall foul of any data residency laws."

J2 Software

With global markets in a state of constant flux and companies looking for innovative ways to ensure their survival, more companies are resorting to protecting their market share and optimising their internal resources at all costs. J2 Software has been at the forefront of assisting companies in achieving these goals by providing effective and easy to manage data security and policy enforcement solutions.

J2 Software provides solutions and services that allow its customers to leverage technology to reduce risk, improve compliance, cut costs and keep control. The company offers its clients complete peace of mind through the cost-effective delivery of world-beating policy enforcement and compliance solutions, communication cost allocation, data security, encryption and PC protection tools and services.

The company has implemented solutions in South Africa, Angola, Botswana, Kenya, Malawi, Mauritius, Mozambique, Tanzania, Uganda and Zambia.

J2 Software represents SystemSkan, Mimecast, Zscaler, SentryBay, Aspivia, Secude, Avira and Flickswitch.

Editorial contacts
Exposure Mia Andric (+27) 82 564 0087
J2 Software John Mc Loughlin (+27) 861 00 5896
Have your say
Facebook icon
Youtube play icon