6 Ways to Evaluate Application Security Capabilities
To feel confident in your enterprise collaboration solution's infrastructure and architecture, evaluate infrastructure, process and application security.
9 May 2014
In a recent post, we shared a few questions you should ask providers when evaluating enterprise collaboration solutions. Now that you’ve got a handle on the basics and know what framework you’ll need in a solution, it’s time to take a closer look to assess the underlying platform.
The platform which an enterprise collaboration solution is built upon is the fundamental foundation of secure content sharing. To feel confident in the stability of your vendor’s infrastructure and architecture as well as their expertise in regulatory compliance, you’ll want to evaluate application security, infrastructure security and process security. Always look for a provider with experience operating in regulated industries globally and validate their claims by their customer references.
In this post, I’ll help you better understand application security requirements. Here are a few capabilities you should highly consider:
Strict ID and Password Protocol
When evaluating application security, the first step is to look for an enterprise collaboration solution that has strict ID and password protocol that can prevent users from password sharing while being able to detect and prevent a single-user ID from logging in from multiple locations simultaneously.
Secure Data Transmission and Storage
You’ll also want secure data transmission and storage that encrypts data by default, so that once you log in and start sharing information your data will be protected both in transit and at rest. Make sure your data encryption can support the strong commercially-available ciphers, e.g., 256 bit keys and standard algorithms.
Permissioning and Visibility
From there, look for role-based permissioning and visibility capabilities that will support your existing business governance processes and workflows. Permissioning should give users specific access/control to information and have visibility capabilities like real-time reporting so you can tell who is viewing what content and when.
Document Locking and Protection
Also consider document locking and protection capabilities that prevent users from saving and forwarding unencrypted sensitive files. This will help reduce access to unauthorized individuals while lowering the risk of accidental disclosure. Find a solution that lets you maintain control over your information, even after it has been shared with external parties or downloaded. Dynamic watermarking is a plus.
To ensure you have a high-level of security when sharing sensitive information, you want a solution with strong authentication, one that meets government and financial industry two-factor authentication requirements. Look for security options that allow for information grouping by sensitivity with appropriate protections. You’ll also want a solution in which user authentication strength can scale up and down to allow application of multi-factor challenges based on information sensitivity and user’s assessed risks (e.g., end device parameters, geo-location, IP address, time of access, etc.).
Private SaaS Hosting ensures that you know where your data is at rest. This is particularly important for countries where legislation protects personal data residing within its borders. Ask providers where the data is housed (i.e. public cloud, private cloud), if data is limited to specific servers or if publicly hosted and how multi-tenant environments are secured. Additionally, your IT team may want to know if they can encrypt the data and if so, who controls or has access to the keys? Customer managed encryption keys (CMKs) allow organizations to maintain control of their hosted content without disrupting information sharing – CMKs are paramount for strengthening information security and data privacy. With CMKs, customers have their own encryption keys to maintain total control of their information, while avoiding difficult on-premise application deployments that create IT complexity and operational expense.
How are you evaluating solutions? Tell us what challenges you face and stay tuned for future posts which will be all about infrastructure security and process security capabilities.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.