Cloud-based software and applications have opened the doors to the flexible working lifestyles like never before. ‘Got internet and a laptop, can work’ has become the new mantra for employees across industries globally.
In response, organisations are revamping increasingly digitalised workforces with a cloud-first security strategy. Whether your organisation has just embarked on a cloud journey, or you’re looking to update you cloud vendor onboarding process, here are some considerations for building a cloud-first security strategy.
Involve teams company-wide to mitigate security risks
Unlike siloed business systems of the past, cloud security is everyone’s responsibility. Make sure that leaders understand the risks and cascade expectations across teams accordingly.
At an executive level, sensitive company and customer data and its governance are paramount. Breaches or leaks of sensitive data can destroy trust (and your brand) with millions of existing or potential consumers, and cost millions, if not billions, of dollars in damages to the company.
Technology infrastructure, architecture, and operational data, and its associated maintenance, availability and security are a critical responsibility for the chief information, digital or technology officer. As cloud technology develops and grows, so do the increasingly sophisticated threats, requiring more advanced protection measures. Dedicated internal IT security resources may not be feasible and/or scalable, or a cost-effective option to protect critical cloud systems.
Cloud security also extends to any business unit reliant on cloud software up-time for business-critical applications that serve existing and potential customers, while protecting the company brand and reputation. The financial and legal implications resulting from a lack of data privacy and security can be substantial.
Holistic cloud security and compliance considerations
When considering new cloud vendors, be prepared to sign a non-disclosure agreement before a potential cloud vendor will hand over their sensitive security and technical reports, certifications, and associated documentation. Cloud software and service providers storing and processing sensitive company or customer data should undergo multiple, regular, and globally recognised audits.
Compliance requirements may vary depending on the business functions, data, industry and/or geography. Common global standards for cloud security and service management include BS10012:2017 certification covering data privacy standards, ISO 9001 certification covering quality standards. In addition, ISO 27001 provides a global standard for IT security management practices, and ISO 22301 focuses on the security and resilience of business continuity management processes of the cloud provider.
For example, SAP Concur was one of the first cloud service providers, serving customers such as a national defence agency and financial institutions, and the 18th U.S. company to become ISO 27001 certified (formerly BS7799) in 2004. SAP continues to undergo this and several other external and internal security audits to maintain a high level of certification.
Additional standards to consider include payment card industry (PCI) compliance related to payment data security, and SOC1 and SOC2 Type II reports, which cover compliance of internal controls and security audit reporting, respectively.
Data privacy is a growing area of scrutiny. Depending on the country and jurisdictions you are operating in, there will be local privacy laws which the vendor should comply with. For example, in Australia organisations must comply with Australian Information Privacy Principles. Common privacy product features include data retention (and deletion) procedures, and the general data protection regulation (GDPR), which are applicable to EU citizens regardless of where an organisation is located.
Data should be encrypted when it’s transmitted over a public network and at rest when being stored in databases. Cloud provider access to data should only be available to a limited, appropriately vetted number of authorised personnel. It is common to request that staff with access to data and data centres undergo appropriate background checks before being given access to customer data. Use industry standard encryption methods for data in transit and at rest.
If data sovereignty is important to your business, be aware of the location and ownership of your cloud provider’s data centres. Make sure that data centres are Tier 3+ or Level 4 facilities and confirm appropriate disaster recovery and archival/backup practices. Primary production sites should be separate to secondary backup and disaster recovery sites.
Cloud providers often outsource services to third parties for services such as infrastructure. Ask your cloud vendor about their practices, and how they will treat your data with privacy and security.
Mobile security is another consideration. Treat security capabilities of mobile applications with the same level of scrutiny as the vendor’s web applications, over and above the mobile device’s local security features such as biometrics.
Cloud security is constantly evolving. Perform continuous security and technical due diligence, as requirements, legislation, and expectations can vary between functionality, industries, and geographies. Above all, manage the integrity, security, and availability of your company and customer data with the same level of rigor as your entire cloud-based business. It’s the only way to keep pace with your digitalised workforce.
This article also appeared on SAP BrandVoice on Forbes.