It’s a given that cloud adoption is growing heavily, but I continue to hear how security is a concern or roadblock for some. Yes, the ever increasing stories of cyber attacks have ensured security remains a top priority for CIO’s, as it should be, but I’m always amazed at how security in the cloud is looked upon as a major hurdle or obstacle. Moving your apps to the cloud does take a new way of thinking about security but it shouldn’t hold you back. Leveraging the cloud, particularly SaaS applications, actually enhances your security risk profile.
It’s a myth that using SaaS apps or putting information in the cloud is inherently less secure than keeping everything on premise. The data needs to be secured no matter where it lives and keeping it on-prem does not make it more secure. What is true is that it’s different, and as long as you understand the differences, your company’s risk profile is much better off.
One great reason to use the cloud is that you’re outsourcing the development and hosting of your applications, enabling you to focus on more core, business value activities. This also includes security, if done right. Leveraging the cloud gives you access to a great pool of resources, whether it’s with your cloud vendor or in combination with other cloud vendors. This is because the skills and resources available with most cloud vendors are much greater than what you can muster yourself. It’s the lifeblood of their existence and the teams and time devoted to overseeing security is far greater than what most companies can do cost effectively on their own. This doesn’t mean that cloud vendors can’t get hacked as well. They can. Even though most of the highly publicized security breaches have actually been to on-premise environments, cloud vendors have been hacked. There are no guarantees but the same goes with your on-premise environment too.
However, using the cloud doesn’t mean you ignore the security concerns and just leave it to the vendors. To fully leverage the cloud for improved security, you need to understand what truly needs to be secured, understand your vendors’ policies and procedures, implement a few tools, and ensure your users are trained and aware of how they can help prevent security attacks. This is not an exhaustive list by any means and I just touch on a few of them below, but these items will put you in a better position going forward.
Data Classification: First, you need to understand what information you really need to protect. Not every piece of data your company produces is sensitive or confidential, so classifying your data as to what is truly sensitive, private or regulatory impacted is step 1. Understanding where this data then resides (likely more than one place) is then required so you know what to focus your extra efforts on.
Implement Two Factor Authentication (TFA) . TFA is one of the best tools available to ensure outsiders aren’t accessing your applications via insecure or stolen passwords. Many of the leading Identity Management tools have this capability and there are other stand alone options available too. End users are much more accustomed to this with their banking or other apps, and it does raise the security strength of your apps.
Internal User Training – Internal users are the biggest hole in an enterprise and ensuring the end users know the security best practices is an easy and inexpensive tool. More companies are instituting security training as a requirement for all employees. This is even more important with a SaaS / browser based application environment.
Understand Your Vendor Practices Just because you’re offloading your application development and hosting to your SaaS provider doesn’t mean you absolve yourself of any oversight or due diligence up front. You still need to understand your vendors capabilities and keep ongoing oversight of your SaaS vendors.
As a buyer of SaaS applications, here are items that you should understand and investigate. Again, It’s not a exhaustive list, nor will you find consistency with the approaches or capabilities, but you still need to familiarize yourself with the following:
- Encryption (in transit and at rest)
- Internal Controls
- Backups / redundant data centers
- How quickly are your vendors patching critical vulnerabilities?
- How does the vendor QA its product?
- How do they test DR/Contingency?
- Do they have best practices with continuous delivery?
- What are their change management practices?
- How do they handle PII or sensitive data?
- Employee profiling/security training and programs/phishing programs
- What is their monitoring and notification process?
- Do they have data centers in countries that require specific data residency requirements (if applicable)
- SSO Support
- Dedicated CISO
- Automated testing
- Peer reviews on coding
These are all capabilities that any software provider should ideally have, so the more you investigate and push, the better you’ll be for it in the end.
There are also many new approaches coming out of startups, from leveraging micro services to machine learning, so you should also pay attention to emerging technologies. Keeping abreast of the new and emerging companies should be a CIO core competency, but it’s even more important today with security and the cloud. Putting your applications and data in the cloud provides a great deal of business value, in what can be a more secure environment. You just to need to understand the differences.