4 Requirements for Effective Infrastructure Security
Understand what infrastructure security requirements to look in an enterprise collaboration solution so you can feel confident in your selected platform.
16 May 2014
When evaluating enterprise collaboration solutions, there are many factors to consider. To ensure you can trust your solution’s underlying platform, you’ll need to assess its application security, infrastructure security and process security.
Last week, we shared six ways to evaluate application security, in which you learned what capabilities to consider to feel confident about your platform – capabilities like strict ID and password protocol, secure data transmission and storage, role-based permissioning, near real-time visibility, document locking and protection, strong authentication and most importantly, Digital Rights Management (DRM).
In today’s post, I’ll help you better understand what infrastructure security requirements to look for so you can feel even more confident in your selected platform. Here are just a few capabilities your underlying platform should include:
256-bit AES (Rijndael algorithm) Encryption
When evaluating infrastructure security, you’ll want to have a multi-layer key management system in place. You should identify where the data is housed (e.g. private, public) to address geographic regulatory concerns early on. In addition, look for an enterprise collaboration solution that can support the strong commercially-available ciphers, 256-bit AES (rijndael algorithm) encryption, a robust encryption process which is able to protect against brute force attacks by high capability adversaries, such as security agencies. From a data privacy perspective, you may want to consider asking if your team can encrypt the data and if so, who has access/control to the encryption keys. To avoid IT intricacies, consider customer managed encryption keys (CMKs) which allow companies to keep control of their information by avoiding difficult on-premise application deployments.
You’ll also want to ask what party validations, certifications and audits your solution provides to ensure the data governing processes around the creation and management of information are of the highest industry standards. Your solution should perform annual SOC 2 Type 2 audits and be able to comply with FDA 21 CFR Part 11 (electronic records and electronic signatures used in FDA regulated environments). Check that your provider undergoes (and passes) regular, independent 3rd party penetration tests and application vulnerability assessments, and can prove it – your provider should be able to share historical audit and penetration test reports going back up to ten years.
Business Continuity / Disaster Recovery
To ensure reliability and uptime, consider a solution with business continuity or disaster recovery capabilities - your provider should be able to produce daily backups, test failover capability and have redundant data centers in separate geographic locations.
Consider a provider with personnel security capabilities which could offer assurance of the integrity of the people supporting your information exchange. This would require personnel to undergo background checks and bind them by confidentiality requirements. Also ask if recertification is part of that process and what training, examinations and certifications support personnel are required to undertake.
Now that you have a better understanding of infrastructure security, next week we’ll cover requirements for process security capabilities. Stay tuned…