5 Ways to Sleep Easy Knowing You Can Trust Your Company Data in the Cloud
Here are five data security tips to consider to help your information security and IT teams count sheep and sleep easy with your company data in the cloud.
4 August 2015
We’ve seen some pretty alarming data leaks grab headlines recently.
Remember the federal Office of Personnel Management (OPM) hack just a few weeks ago compromising the information of around 21.5 million people? No? What about when that third party gained complete access to Pacnet’s corporate IT network? And let’s not forget Woolworth’s misadventure in which the personal information of customers and nearly 8,000 redeemable gift card codes were leaked.
Information security and IT departments across the globe are losing sleep trying to revamp security.
We all know that the cloud offers many benefits — such as helping organizations become more efficient, agile, cost-effective, and mobile — but still, some organizations have concerns about deployment, namely around security.
In a recent survey of 100 CTOs, CSOs, and other IT professionals, SC Magazine reported that 66 percent of respondents quoted security uncertainty as the top reason for delaying cloud infrastructure deployment, with half of respondents sharing concerns about the security of customer information in the public cloud. Factors driving the data security fears centered around data ownership, location of data, shared technology/multi-tenancy, and virtual exploits.
No company wants to be the next headline in the news. But more so, no company wants to fall behind their competitors due to lack of efficient processes. But you’re in luck. The cloud can be a secure and compliant environment, but only if you are working with a provider that has the right security controls and processes in place.
Here are five data security tips to consider to help your information security and IT teams count sheep and sleep easy:
- Keep Intellectual Property Secure: Keeping security tightly managed in your organization is important, but your company’s data security practices should not lock out your employees who need file sharing capabilities to get work done. Information security and IT departments need to provide a secure file sharing and collaboration solution for teams to access and share information freely (as long as they have permission to do so!), but still maintain control over sensitive corporate information. This solution should have strong access controls, multifactor authentication, and information rights management at the document-level and 256-bit encryption — at rest and in transit.
- One Size May Not Fit All: With the proliferation of consumer grade collaboration products it is becoming almost impossible to prevent data leakage from an organization. For non critical, low value data, it may be acceptable to utilize enterprise file sync and share products. However for high value IP, a more secure solution is recommended. The approach can either be a highly secure product working in conjunction with other technologies such as SharePoint or a true security based collaboration product that allows for easy adoption with end users.
- Understand Regulatory Responsibility: Companies that have sensitive customer data must work to keep that information secure. In many countries, it's the law. For instance, to make security and compliance a top priority for organizations, Congress has been considering regulations which would force companies to disclose when they've been hacked. And on the other side of the world, regulatory responsibility is most recently evidenced by the roll back of Salesforce.com by the Bank of Queensland in Australia responding to increased focus from the Australian Prudential Regulatory Authority (APRA) on the nature of cloud service provision — Bank of Queensland citing “operational and regulatory requirements” as justification for the roll back. Organizations that are responsible for customer data must understand and meet all security obligations and regulatory requirements for the jurisdictions they are operating within. To control access to information and alleviate concerns around meeting audit and compliance requirements, organizations can consider a solution like customer managed encryption keys (CMK).
- Trust or Verify: Your cloud vendors should be adopting a security posture that is equal to or more secure than your own. Too often companies rely on the assurances or industry name of the vendor that their security posture is adequate. If the vendor you are working with is unwilling to allow you to perform audits or penetration tests against their products or platform, then this should be a red flag. As representatives of your company, you own the responsibility to either trust (at your own peril) or verify your vendors security practices.
- Make Sure Staff Follows Security Protocols: If your staff aren’t following the right policies, any security solution may be setup for failure. Not every employee should get access to every document. Only employees relevant to a project should have access to the documents it contains. Too often, management under trains staff in security best practices. Employees should be aware of all security processes and have regular security training. Organizations should ensure that security policies are enforced – period. Look for a vendor that has similar security and process protocols to your own company (i.e. Are they ISO27001 certified, do they perform regular penetrations tests against their own systems, or do they have external auditors review their controls) so you can be confident that the right security processes are in place to keep your information protected.
The end goal: Organizations must keep data secure, while allowing employees to access pertinent information wherever and whenever they need them.
Doing so requires a finely tuned balance between freedom and control. If you’d like to learn more about how your organization can protect its information, check out our buyer’s guide which goes in to detail around the capabilities solutions should have in order to satisfy rigorous privacy and security demands, but also allow for flexible collaboration between teams.
Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.