Return to search

The right to privacy : how the proposed POPI Bill will impact data security in a cloud computing environment

Thesis (MComm)--Stellenbosch University, 2014. / ENGLISH ABSTRACT: The growing popularity and continuing development of cloud computing services is ever evolving and is slowly being integrated into our daily lives through our interactions with electronic devices. Cloud Computing has been heralded as the solution for enterprises to reduce information technology infrastructure cost by buying cloud services as a utility. While this premise is generally correct, in certain industries for example banking, the sensitive nature of the information submitted to the cloud for storage or processing places information security responsibilities on the party using the cloud services as well as the party providing them. Problems associated with cloud computing are loss of control, lack of trust between the contracting parties in the cloud relationship (customer and cloud service provider) and segregating data securely in the virtual environment.
The risk and responsibilities associated with data loss was previously mainly reputational in nature but with the promulgation and signing by the South African Parliament of the Protection of Personal Information Bill (POPI) in August 2013 these responsibilities to protect information are in the process to be legislated in South Africa. The impact of the new legislation on the cloud computing environment needs to be investigated as the requirements imposed by the Bill might render the use of cloud computing in regard to sensitive data nonviable without replacing some of the IT infrastructure cost benefits that cloud computing allows with increased data security costs.
In order to investigate the impact of the new POPI legislation on cloud computing, the components and characteristics of the cloud will be studied and differentiated from other forms of computing.
The characteristics of cloud computing are the unique identifiers that differentiate it from Grid and Cluster computing. The component study is focused on the service and deployment models that can be associated with cloud computing. The understanding obtained will be used to compile a new definition of cloud computing. By utilizing the cloud definition of what components and processes constitute cloud computing the different types of data security processes and technical security measures can be implemented are studied. This will include information management and governance policies as well as technical security measures such as encryption and virtualisation security. The last part of the study will be focussed on the Bill and the legislated requirements and how these can be complied with using the security processes identified in the rest of the study. The new legislation still has to be signed by the State President after which businesses will have one year to comply and due to the short grace period businesses need to align their business practices with the proposed requirements. The impact is wide ranging from implementing technical information security processes to possible re-drafting of service level agreements with business partners that share sensitive information. The study will highlight the major areas where the Bill will impact businesses as well as identifying possible solutions that could be implemented by cloud computing users when storing or processing data in the cloud. / AFRIKAANSE OPSOMMING: Die groei in gewildheid en die ontwikkeling van wolkbewerking dienste is besig om te verander en is stadig besig om in ons daaglikse lewens geintegreer te word deur ons interaksie met elektroniese toestelle. Wolkbewerking word voorgehou as ‘n oplossing vir besighede om hul inligtings tegnologie infrastruktuur kostes te verminder deur dienste te koop soos hulle dit benodig. Alhoewel die stelling algemeen as korrek aanvaar word, kan spesifieke industrië soos byvoorbeeld die bankwese se inligting so sensitief wees dat om die inligting aan wolkbewerking bloot te stel vir berging en prosesseering dat addisionele verantwoodelikhede geplaas op die verantwoordelike partye wat die wolk dienste gebruik sowel as die persone wat dit voorsien. Probleme geassosieër met wolk- bewerking is die verlies aan beheer, gebrekkige vertroue tussen kontakteurende partye in die wolk verhouding (verbruiker en wolk dienste verskaffer) en die beveiliging van verdeelde inligting in die virtuele omgewing.
Die risiko’s en verantwoordelikhede geassosieër met inligtings verlies was voorheen grootliks gebasseer op die skade wat aan die besigheid se reputasie aangedoen kan word, maar met die publiseering en ondertekening deur die Suid-Afrikaans Parliament van die Beskerming van Persoonlike Inligting Wet (BVPI) in Augustus 2013 is hierdie verantwoordelikhede in die proses om in wetgewing in Suid Afrika vas gelê te word. Die impak van die nuwe wetgewing op die wolkbewering omgewing moet ondersoek word omdat die vereistes van die Wet die gebruik van wolkbewerking in terme van sensitiewe inligting so kan beinvloed dat dit nie die moeite werd kan wees om te gebruik nie, en veroorsaak dat addisionele verminderde IT infrastruktuur koste voordele vervang moet word met addisionele inligting beveiligings kostes.
Om die impak van die nuwe BVPI wetgewing op wolkbewerking te ondersoek moet die komponente en karakter eienskappe van die wolk ondersoek word om vas te stel wat dit uniek maak van ander tipes rekenaar bewerking. Die karakter eienskappe van wolkbewerking is die unieke aspekte wat dit apart identifiseer van Rooster en Groep rekenaar bewerking. Die komponente studie sal fokus op die dienste en implimenterings modelle wat geassosieer word met wolkbewerking. Die verstandhouding wat deur voorsafgaande studie verkry is sal dan gebruik word om ‘n nuwe definisie vir wolkbewerking op te stel. Deur nou van die definisie gebruik te maak kan die inligtings sekuriteit prosesse en tegniese sekuriteits maatreëls wat deur die verantwoordelike party en die wolkbewerkings dienste verskaffer gebruik kan word om die komponente en prosesse te beveilig bestudeer word. Die studie sal insluit, inligtings bestuur prosesse en korporatiewe bestuur asook tegniese beveiligings maatreels soos kodering en virtualisasie sekuriteit. Die laaste deel van die studie sal fokus op die BVPI wetgewing en die vereistes en hoe om daaraan te voldoen deur die sekuritiets maatreëls geidentifiseer in die res van die studie te implimenteer. Die nuwe wetgewing moet nog deur die Staats President onderteken word waarna besighede ‘n jaar sal he om aan die vereistes te voldoen en omdat die periode so kort is moet besighede hulself voorberei en besigheid prosesse aanpas. Die impak van die wetgewing strek baie wyd en beinvloed van tegnise inligtings beveiligings prosesse tot kontrakte aangaande diens lewering wat dalk oor opgestel moet word tussen partye wat sensitiewe inligting uitruil. Die studie sal die prominente areas van impak uitlig asook die moontlike oplossings wat gebruik kan word deur partye wat wolkbewerking gebruik om inligting te stoor of te bewerk.

Identiferoai:union.ndltd.org:netd.ac.za/oai:union.ndltd.org:sun/oai:scholar.sun.ac.za:10019.1/86184
Date04 1900
CreatorsBasson, Benhardus
ContributorsVan Zyl, Anria, Stellenbosch University. Faculty of Economic and Management Sciences. School of Accountancy.
PublisherStellenbosch : Stellenbosch University
Source SetsSouth African National ETD Portal
Languageen_ZA
Detected LanguageUnknown
TypeThesis
Formatix, 67 p. : ill.
RightsStellenbosch University

Page generated in 0.0036 seconds