Yet, it’s true—there are still some people that hesitate to use cloud-based software and one of their primary concerns about the cloud focuses on data security. In a recent survey of 4,500 high-level IT professionals in 83 countries, the Information Systems Audit and Control Association (ISACA) found that security risk is the most widely cited inhibitor to Software-as-a-Service (SaaS) adoption. Yet, cloud computing is as important to the 21st century as the telephone was to the 20th, as it revolutionizes the way we do business in an era where practically everyone is exposed to data security risk at some point in their lives.
Though it was just a buzzword a few years ago, cloud computing has definitely gone mainstream. Driven largely by small to medium-sized businesses (SMBs), startups, and tech companies that raced to embrace the future, the cloud has grown, matured, and become quite easy to use. It comes with numerous advantages, such as cost savings, increased efficiency and low maintenance. This game-changing technology further allows smaller companies to compete with enterprises on an equal footing.
In fact, it’s likely that we all have indulged in cloud computing in one form or another, without even realizing it. From our Gmail and Facebook accounts, to our online tax prep software—which can be used via a tablet, smartphone, laptop, etc.—this tech revolution has made “mobility” synonymous with the “cloud,” and for good reason. Today, people want to access their business software in the same way they access their personal software and social accounts—anytime, anywhere and from any internet-enabled device.
Although cloud-based and mobile technologies have become commonplace, it is still very important for the broader public to understand the consequences of data security breaches and how they can out-maneuver such incidents. So, how can cloud naysayers overcome their data security concerns and what cloud computing risks do they need to address?
Generally, software applications in public clouds are not as secure as those inside an enterprise, despite the fact that app providers’ security methods have greatly improved over the last few years. Thus, businesses should complete an in-depth evaluation of their app providers’ security systems and practices if they want to increase their own internal security.
If data was stored on a local corporate network, management would want to know what security controls are in place, to what extent these controls are implemented, and what plans are in place to deal with a breach in data security. Similarly, these questions should be answerable by cloud users and app providers in a parallel business situation. Also, users of SaaS apps should always make sure that they know who has their data, where that data is held, what they are doing with it, and how it is protected.
A key takeaway for data security planning is that the lower down the stack the app provider stops, the more app users (or company managers) become responsible for implementing and managing data security themselves. Sound planning and knowing which party is responsible for security elements can prevent unnecessary finger pointing in the event of a data security breach.
Since data that is stored by businesses in the cloud can be sensitive, companies should take proper precautions to ensure that their data cannot be hacked or compromised. Although some cloud security measures have already been put in place by app providers, hackers are becoming increasingly sophisticated in their attacks.
Here are SaaS Markets 10 tips for businesses looking to bolster their data security in the cloud:
1. Determine what level of security you require for the data that you plan on sharing with an application.
Companies should know their needs, and be informed about how public clouds handle security. Proactively educating the appropriate employees about security protocols is a great starting point. They should determine the exact level of security needed for the application(s) and data that they will share in the cloud. For example, the security protocols for uploading healthcare records will likely be different than those for financial records or credit card transactions. Companies should make sure that the app provider has the right features in place to meet their security needs, and such needs should be stipulated in service level agreements (SLAs) and continually enforced.
2. Investigate what additional work you may have to perform to raise data security to an appropriate level.
Most often, the responsibility for software application security is shared between the cloud customer and the app provider. First, the business consumer must develop security policies for how cloud services can and cannot be used. Different skills and mindsets are needed to make the change from internal, behind-the-firewall security policies to network-centric policies. More granular internal decision points include evaluating an app provider’s encryption capabilities. Smart SaaS app users will encrypt highly-sensitive data before uploading it to the cloud.
When you transfer data via to or from your application, someone else might be able to read it if you have not encrypted your data. If your SSL is not properly configured, you may risk a third person “eavesdropping” in a two-party communication in the cloud. Then, the third person can pick up information that has been exchanged. This security concern can be overcome, but the most important security risk lies in authentication, and discovering which measures work best with the an provider’s offering can be challenging. The most security conscious users will employ a two-factor authentication apparatus to counteract potential threats.
3. Find out if an app provider can conform to your identity and access management standards.
You’ll want your cloud-based app to conform to your identity and access management standards so the software will be able to integrate into your access management and single-sign on architecture (SSO). If the app provider’s software cannot do it, then you’re company may be forced to manage it separately.
4. Determine whether the app provider’s data protection practices inside their infrastructure are adequate?
For example, you should ask if your data going is going to be transferred via a secure channel to the cloud. Companies should further examine data classification and protection policies.
5. Look into the physical security and personnel of the app provider’s business.
Not all apps and providers are created equally. Physical security measures should include protections against natural disasters, as well as co-location and disaster recovery planning. You should inquire about your app providers internal security policies. Ask what kind of personnel management practices they have, and find out who at the app provider’s company will have access to your data.
6. Evaluate the app provider’s incident response and restitution policies in the event of a data security breach
You should discern what the app provider guarantees in the event of a breach in data security. What if the app provider’s infrastructure is hacked? Recently, the media has well-documented the consequences of such cyberattacks. Before employing an app, companies should find out what kind of recourse they will have if their data is hacked.
7. Determine the legal implications of a data security breach.
If your data is lost or compromised because it is stolen or an application crashes, you should know who takes on the liability. Often, app providers want to absolve themselves from any liability. To the extent it can, your contract should stipulate the conditions in which the app provider will be found liable; particularly, if dealing credit/debit card transactions or sensitive medical records.
8. Figure out what happens to your data at the end of your contract with an app provider
You should make sure that your SLA provides detailed descriptions of how data will be delivered when your relationship with an app provider is discontinued. You should ask if your data will be returned, or scrubbed. If an accurate record of your data cannot be promptly delivered, then this may prove dangerous for your business down the line.
9. Are the mobile versions of the app provider’s software secure?
Businesses should carefully review an app provider’s mobile security and support services, and review their plan for mobile support. Most app providers are increasing mobile support and have extended their security controls from the cloud to mobile offerings.
10. Ask if the app provider adheres to any security standards and certification initiatives.
Active participation in security certification initiatives and standards is a sign that the app provider takes data security quite serious. Currently, cloud-based data security standards are evolving at the behest of government and private organizations as well. In the absence of globally-accepted cloud security standards, most certifications are not all encompassing.
The bottom line is that cloud computing is growing rapidly, it’s here to stay, and data security in the cloud is continuously improving. In case you have any lingering doubts about the increasing role and presence of cloud computing, here are some figures worth considering:
- According to IDC, by 2015, one of every seven dollars spent on packaged software, server, and storage offerings will be through the public cloud model, growing five times faster than the total IT industry.
- According to Gartner’s recent survey, cloud computing is among CIO’s 2013 top technology priorities—third only behind analytics and mobile.
- 90% of Microsoft’s 2011 R&D budget of $9.6 billion was spent on cloud computing strategy and products, implying a huge transition in how their customers will deploy and consume IT.
- 48% of U.S. federal agencies moved at least one workflow to the cloud, following a new requirement that agencies adopt a “cloud-first” policy.
These impressive facts confirm the shift in momentum towards the cloud. They should also serve as a wakeup call to IT practitioners, emerging businesses, and enterprises alike.
To be candid, several years ago, when I first started exploring cloud-based apps, even I was skeptical about their security. Of course, there was a much more limited span of SaaS apps to choose from at that time, and data security has evolved tremendously since then.
Today, there appears to be a struggle to define both technologies and legal obligations between the cloud-based app providers and their customers. It is a topic that has been taken up by both the federal government in its FedRAMP program that seeks to certify cloud-service providers for government use, and the Cloud Security Alliance (CSA), which has several working groups pouring significant effort into defining industry standards. While all of these endeavors are promising for data security in the cloud, they will undoubtedly take several years to mature. In the meantime, businesses should take heed of the above recommendations, lock down their data security requirements and evaluate potential security options as best as they can. The starting point should always be looking at the sensitivity of the data going into the (software) service.
Businesses should further educate themselves and realize that technologies have evolved to address their data security concerns. Cloud-based applications should be embraced, rather than viewed as an omnipresent threat to companies—large or small. When the right approach is taken, SaaS apps are an opportunity to embed security technologies, such as data loss prevention, into the very core systems that will run the cloud, which is one of the most exciting IT developments of the decade.
In fact, when done right, cloud computing could provide more granular security control than previously possible and data security controls that are invisible to the end user. Ultimately, cloud computing has the potential to achieve a higher level of security by simplifying everything. While the benefits of cloud computing are numerous and undisputed, data security is a concern that should (and will) be overcome.
About the Author
Jay Manciocchi, JD is a proven digital marketing executive and client-facing sales officer that loves creating engaging content optimized for search and social. He previously worked in a leadership role at the nation’s largest content marketing agency. Jay has also worked at a global consulting company, large and boutique marketing agencies, and at law firms (as a former legal professional). He received his Juris Doctor degree from New England Law and his B.S. degree from Northeastern University. Jay also has his Series 7 & 66 certifications, and is conversant in Spanish, Italian and Arabic. Follow him @JayManSanFran.