Alto Africa CTO Oliver Potgieter on securing data in the cloud

Alto Africa CTO Oliver Potgieter on securing data in the cloud

The new cloud-based information security tool will enable enterprises to deliver fast, accurate and hassle-free ISO 27001 security risk assessments

Many small business owners are more concerned about how secure their data is in the cloud but don’t worry about taking their unencrypted laptops to a local coffee shop, says Alto Africa CTO Oliver Potgieter. He talks to Intelligent CIO about why having a ‘secure’ password doesn’t mean one’s data is protected and why ‘the cloud’ itself is not the security issue.

Gartner predicts that by 2022, at least 95% of cloud security failures will be the user’s fault. The challenge is not in the security of the cloud itself, but rather in the policies and technologies for security and control of the technology.

SMEs need to understand where their data protection concerns should lie. Having a ‘secure’ password surely cannot compare to storing one’s data on a multi-billion-dollar cloud platform like Microsoft’s Azure, Amazon Web Services or Google Cloud.

Instead of asking whether the cloud is secure, they should rather be asking whether they are using the cloud securely. It is nearly always the user and not the cloud provider, who fails to manage the controls used to protect an organisation’s data.

Small and mid-sized businesses have a relationship with cloud security that reflects a line from Shakespeare – full of sound and fury, signifying nothing. In part, the blame should be placed on the shoulders of the ‘bakkie brigade’ – a group of IT providers that service the SMB sector in South Africa.

Unfortunately, most small businesses have a vested interest in friends and relatives who look after their computers. These ‘IT professionals’ tend to keep software and data local and charge a handsome callout fee every time there’s a problem.

So they sow fear, uncertainty and doubt (FUD) about ‘the cloud’ while punting their own ‘data centre’. It’s not even worth commenting on the security of a couple of servers in the IT provider’s basement.

There are very few fortune 500 companies that can compete with the availability and security of Azure, Amazon Web Services or Google Compute, let alone any small or mid-size businesses. There is a massive difference between a real data centre and the local IT provider’s ‘data centre’.

So, do businesses never get hacked in the cloud? Of course they do, but Microsoft’s Azure SLA for example states that they take responsibility for security of the cloud service they provide, e.g. the physical components and the network connected layer.

SMEs can run pretty much any service they want from these global cloud platforms but if they leave remote connections open to the world, give every user that needs access full admin rights and have a password policy that allows ‘Password123’ as the only form of authentication needed then they deserve to be hacked.

Don’t blame the platform, securing data is the company’s responsibility and this is according to Protection of Personal Information Act 2013 (PoPI) and the European Union’s General Data Protection Regulation (GDPR).

Next time a ‘trusted advisor’ says the cloud is just not ready yet, consider some of the following statistics – Amazon cloud did 49% year on year growth in Q1 with US$5.44 billion in revenue, while Microsoft’s commercial cloud revenue leapt an incredible 58% to US$6 billion.

There are plenty of good reasons to move to the cloud, it makes good business sense and it allows small business owners to focus on their business. Cloud computing can be used for almost all types of applications, not just business security.

When running one’s own servers, the overall costs of maintenance and management can lead to unforeseen expenditures.

While the idea of cloud computing can sometimes sound complicated, it’s clear that it saves its users money. There are no upfront costs, moving to cloud is cheaper than one thinks. It involves no upfront investments as all the IT infrastructure needs will be taken care by the cloud service provider for a fixed cost.

Browse our latest issue

Intelligent CISO

View Magazine Archive