Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Hosted security services

1 July 2015 Information Security, Security Services & Risk Management

You can’t escape the cloud. Today there isn’t an IT system out there, even when it comes to apps for a mobile device, that doesn’t have some link to cloud computing. Whether its storing your details in the cloud, running apps or full applications from the cloud, or even simply just backing up your data to a server ‘somewhere’, cloud is it.

In the security industry we’ve seen cloud services appear as hosting solutions, such as hosting your access control at an offsite provider. Remote monitoring is also a cloud service, but there are few organisations in South Africa that offer a fully hosted surveillance operation – the bandwidth and storage requirements would be too great. Not that VSaaS (video surveillance as a service) is all that successful overseas either.

Michael Horn, BU manager: Security, CA Southern Africa.
Michael Horn, BU manager: Security, CA Southern Africa.

To give us some more information on the cloud and the associated security issues, Michael Horn, BU manager for security at CA Southern Africa elaborates on being secure out in the great wide Internet.

How secure is your data?

Data in the cloud refers to data while it is being transmitted, stored or processed by a cloud service provider (CSP). Encryption is one of the most effective data protection controls available today. Encryption integrity is based on the technologies and processes governing the cryptographic security services. It is a primary data (and application) protection technique.

For encryption to be useful, encryption keys must be properly managed and protected. The emergence of cloud computing – where critical customer and enterprise data could be held by third-party cloud providers in multi-tenant, shared computing and storage environments – highlights the need to call on encryption as a primary security control.

Storage, movement, and processing of digital information are commonly discussed in terms of ‘Data at Rest,’ ‘Data in Transit,’ and ‘Data in Use.’ The application of encryption mechanisms can similarly be considered for each of these states.

When enterprises and individuals move their data and applications to the cloud, protection of their confidential information e.g. company secrets, intellectual properties and sensitive information like personal identifiable information (PII), in transit, at rest, and in use, is critical. Inappropriate information disclosure could cost a data owner’s reputation, financial standing and impact their regulatory and legal compliance requirements.

When cryptography is used to protect valued data, the risk is transferred from the content to the keys. Once encryption has occurred, protection of cryptographic key material becomes paramount.

Questions to ask

Organisations should be asking CSP’s these questions before procuring their services:

• How does the CSP manage network and information security risks related to the cloud service?

• Which security tasks are carried out by the CSP, which type of security incidents are mitigated by the CSP (and which tasks and incidents remain under the responsibility of the customer)?

• How does the cloud service sustain disasters affecting data centres or connections, and which data is backed up where?

• How is security of the cloud service guaranteed when there are legal issues or administrative disputes?

• What practices does the CSP follow to ensure they have trusted personnel?

• How is customer data or processes protected from unauthorised physical and logical access?

• What data encryption and cryptographic management services are supported or supplied by the CSP?

• How does provider ensure software security and which software remains customer’s responsibility?

• How is access to the GUIs and APIs protected, and are their additional measures for administrators/high privilege roles (under the customer’s side)?

• How can the customer monitor the service, which logs are kept, and how can they be accessed, for example, when the customer needs to analyse an incident?

• Which standards make the cloud service portable and interoperable?

• How is increase of usage or peaks handled, and what are the corresponding costs?

• Which national legislation applies?

Is it legal under PoPI to store data offshore?

PoPI does not dictate where your customer data should reside geographically, however you need to beware of the jurisdictional control in the advent of a legal dispute. In order to determine which data is PII you will need to classify your data and understand where the data resides and flows through your organisation. Not all data needs to be encrypted, your data classification exercise will assist in identifying the PII information that requires encryption.

What do we need to do to safely make use of cloud services?

When assessing CSPs, enquire if they are planning on adopting the ISO/IEC 27018 code of practice for the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors.

ISO 27018 is the first international set of privacy controls in the cloud, and Microsoft’s Azure is the first cloud computing platform to adopt ISO 27018.

CSP’s adopting ISO/IEC 27018 must operate under five key principles:

• Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.

• Control: Customers have explicit control of how their information is used.

• Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.

• Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.

• Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.

For more information contact CA Southern Africa, +27 (0)11 417 8645, [email protected], www.caafrica.co.za





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

The impact of AI on security
Technews Publishing Information Security AI & Data Analytics
Today’s threat actors have moved away from signature-based attacks that legacy antivirus software can detect, to ‘living-off-the-land’ using legitimate system tools to move laterally through networks. This is where AI has a critical role to play.

Read more...
Managed security solutions for organisations of all sizes
Information Security
Cyberattackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Multiple IoT devices targeted
Information Security Residential Estate (Industry)
Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities.

Read more...
SABRIC Annual Crime Statistics 2024
News & Events Security Services & Risk Management Residential Estate (Industry)
SABRIC has released its Annual Crime Statistics for 2024, reflecting a significant decline in financial crime losses, but also warning of the growing threat posed by artificial intelligence (AI) in fraud schemes.

Read more...
Health, safety, and environmental eLearning
Training & Education Security Services & Risk Management
SHEilds is a global leader in health, safety, and environmental eLearning, delivering internationally recognised qualifications such as NEBOSH, IOSH, IEMA, and ProQual NVQs.

Read more...
See crime stopped in seconds
Products & Solutions Security Services & Risk Management
Fog Bandit, a leader in security fog, is bringing its instant crime-stopping technology to Securex Cape Town 2025. Experience the innovation trusted worldwide to protect retailers, warehouses, and high-value sites.

Read more...
Local-first data security is South Africa's new digital fortress
Infrastructure Information Security
With many global conversations taking place about data security and privacy, a distinct and powerful message is emerging from South Africa: the critical importance of a 'local first' approach to data security.

Read more...
Sophos launches advisory services to deliver proactive cybersecurity resilience
Information Security News & Events
Sophos has launched a suite of penetration testing and application security services, designed to identify gaps in organisations’ security programs, which is informed by Sophos X-Ops Threat Intelligence and delivered by world-class experts.

Read more...
SA’s private security industry receives multi-million USD investment
News & Events Security Services & Risk Management
South Africa's private security sector has attracted significant international attention, with the world’s largest tactical flashlight manufacturer, Nextorch, announcing a major investment in its local operations, Nextorch Africa.

Read more...
Kaspersky highlights biometric and signature risks
Information Security News & Events
AI has elevated phishing into a highly personalised threat. Large language models enable attackers to craft convincing emails, messages and websites that mimic legitimate sources, eliminating grammatical errors that once exposed scams.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.