The Protection of Personal Information Act (POPI) is causing much angst within IT departments. This is due to the fact that any infrastructure that holds personal information needs to be secure at all times. Failure to achieve POPI compliance may result in significant penalties. It is anticipated that the act will come into force in the last quarter of 2017.
Many large and well known organisations I speak to are struggling to ensure that they have the tools and bandwidth in place to adequately patch both MS Windows and their applications. Ensuring this happens is required to achieve POPI compliance. This becomes extremely challenging in environments with large distributed networks with branch offices where remote infrastructure and bandwidth are at a premium. To be 100% POPI compliant you need to ensure that operating system and application updates are current and up to date.
What is also clear is that many believe that significant infrastructure upgrades are required to meet POPI compliance requirements. This typically involves network upgrades and providing branch side systems management infrastructure. With the deployment of Nomad from 1E, alongside System Centre Configuration Manager (SCCM), this is not the case. Patching can be securely and rapidly distributed to all remote devices with zero additional infrastructure. It’s not magic but is just works.
So why are companies struggling with operating system security patching and POPI compliance?
The very short answer to this question is bandwidth. Security patching, updates and even software deployments are very difficult and often impossible in branch office environments. Couple this with Microsoft’s new servicing model in Windows 10 and the problem is just going to get worse. The most impacted environments are the large retailers and financial services companies that have significant branch networks. These are often running on low grade links with very little spare bandwidth. Unfortunately these are the very same organisations that hold the personal and financial information that the act is trying to protect.
In these environments business traffic, line of business applications and any revenue generating activity is seen as sacrosanct and rightly so, particularly in tough economic times. The net result is that systems management traffic, the ‘stuff’ that gets security updates and the like down to branch offices is either de-prioritised or not catered for at all. This means that updates don’t happen and point of sale and back office devices are not patched with the latest security updates. Forget the POPI act, where does this sort of behaviour stack against King III?
The Protection of Personal Information Act
When we examine the relevant sections of the act the most relevant clause is found under Condition 7, security safeguards.
To quote from POPI:
S19 (1)A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—
(a) identify all reasonably foreseeable internal and external risks to personal
information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks identified;
(c) regularly verify that the safeguards are effectively implemented; and
(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
Point (d) above is the most pertinent here. If you are not updating your operating system security on a continual basis, you are not compliant.
So we have an act, why should we care? Well both organisations and the individuals within them should care as the act also deals with some very specific sanctions. For companies that do not achieve POPI compliance, fines can be levied of up to R10 Million. This does not preclude civil damages running into millions as well as the associated reputational risk and the impacts thereof. Any individual convicted of an offense under this act could face a jail term of 10 years and will probably be fired. I guess we should care.
The Nomad Effect
If your company is already invested in Microsoft System Centre Configuration Manager (SCCM), you can become compliant almost immediately (certainly in terms of patching) with Nomad Enterprise from 1E.
SCCM’s native deployment technology (BITS) is not known for its bandwidth friendliness and hence patching is often turned off to remote locations. In fact the only realistic way to patch with SCCM is to deploy a DP at a remote location and schedule BITS traffic after hours. This is cost prohibitive in small locations, adds to management overheads and does not make effective use of available bandwidth.
Nomad on the other hand, replaces BITS as a content provider and is very bandwidth friendly. It constantly backs off to business traffic to ensure that business operations are not affected. Importantly, Nomad continually uses spare and available bandwidth to ensure that you get what you need down to your branch sites as quickly as possible. This is achieved without any impact on the business and is not possible natively with SCCM.
This may sound like pie in the sky but to reference a recent example. A very large retailer in the US recently deployed Nomad for very similar reasons. For compliance purposes they had to ensure that devices were constantly patched. This however was having a negative impact on their “just in time” business application. The net effect was that trucks in their distribution channel were leaving half empty, largely because business data was not arriving in time.
By deploying Nomad they got the best of both worlds. Business traffic still takes priority but Nomad traffic ramps up dynamically when the business traffic ramps down and systems management traffic can flow without any business impact. Without Nomad, this would just not be possible.
What is also critically important in a Nomad design is that there is zero requirement for any additional branch office infrastructure. No SCCM distribution points to roll out at all. Nomad leverages existing infrastructure to ensure you can fully manage a remote site with significant additional fail over capabilities and no additional infrastructure investment.
To conclude
The POPI act is placing tremendous pressure on IT departments from a compliancy perspective. Granted there have been many false starts with this legislation but companies must comply and the financial consequences and reputational risk could be dire. Nomad provides a very elegant and quick win from a compliancy perspective. It also provides a double benefit of actually removing branch office servers as a consequence. Hence delivering large operational cost savings.