Moving your applications to the cloud is a great way to address cyber security threats faced today. Cloud vendors offer a wide range of security controls. It’s important to go into evaluating cloud vendors knowing your firm’s minimum-security requirements, and the universe of options available to you to better understand your risks specific to each application, service provided, and vendor.
There are essential capabilities and procedures your cloud provider should have to ensure your data is as secure as possible. There are also procedures your firm must establish to ensure that if technical malfunctions, cyber-attacks or human errors happen, your data is not exposed or if exposed, for the least amount of time possible. Using practice and matter management software as an example, here’s what should be considered when evaluating vendors.
Practice and matter management captures confidential client and matter details, including contact and financial information, proprietary data, processes and documents, and authentication credentials in cases where clients access a portal. From a data governance perspective, the cloud is absolutely the right place for this work, as it provides centralized storage and use of data, which limits the proliferation of confidential data outside the system and thus improves data control. Better control means financial reports, including compensation and profitability, no longer have to be emailed around. Wondering which executive assistants saw the details and who they will tell is a thing of the past; as is wondering who will mistakenly save reports with public viewing access in the document management system or shared drive.
Better control of your data also means more opportunities to utilize emerging artificial intelligent cloud services to improve upon your business practices and opportunities. Consistent contracts of the highest value to the client and improved customer engagement are two of the many benefits being realized by firms embracing data governance and AI. But with each of these opportunities brings additional risks to monitor.
Your cloud provider should be ISO27001, SOC1 and SOC2 certified, and be compliant with PCI-DSS, and HIPAA when applicable. Compliance with additional standards, including the Cloud Security Alliance (CSA) program, NIST, and FeDRAMP is preferred. For an idea of how far a cloud service provider can go to be secure and compliant, head on over to Amazon Compliance.
Managing risk cannot be left to your cloud vendors. The certifications and standards above are only relevant within each vendor’s parameters of securing your data within their environment. Once you inter-connect cloud services, for instance, to include multi-factor authentication, you must now ensure that the connectivity between the two services remains secure and understand the ramifications of an outage of any particular service on your cloud ecosystem. If your MFA provider has an outage, do you take the risk of allowing connections authenticated solely on username and password? What if the MFA vendor was targeted as part of a larger operation for the specific reason of forcing companies to let their guard down? Ask the question: What breaks and what risks do they present? Mapping out interdependencies and devising Plan B’s and C’s will uncover your risks so you can address them adequately and with clear intent.
Human Error and Malice
Ultimately, in the cloud or not, your data is in the control of your employees. Whether by error or intentionally, your employees are a conduit for data exfiltration. Your cloud vendor is not going to question your business practices related to sharing data with external parties. If an employee has the ability to setup an online folder to share content with a client incorrectly, resulting in general public access, you should have monitoring systems in place to track and correct access rights. If your email systems administrator can miss a step in her upgrade routine rendering MFA unnecessary to access email, you should have a system in place that will alert you to this anomaly.
Data Backup and Recoverability
Essential to data preservation is understanding the full extent of a cloud vendor’s data storage, backup, redundancy and business continuity plans. Insist on ongoing proof that data resides only where it should, is backed-up to disk, tape, and other media, and s successfully restored. They should also have proof that their Plan B’s and C’s are tested regularly. Questions to ask may include:
How long will it take to move people over to the DR system and is the account migration an automated or manual task?
Where does your data reside, including on backup media, and what are the retention schedules? (If a firm is required to delete all data for a client, they must ensure it is done and be able to prove it to the client.)
If you currently utilize a cloud service without multi-factor authentication, stop reading this and contact someone who can effect this change quickly. Relying on a username and password to protect data is no longer an acceptable business practice. Just ask Deloite.
Effective cyber security is not accomplished by simply moving your data to a vendor with mature security measures. It requires data governance, training, and on-going process review and improvement. New technologies change the way people work; understanding these changes over time keeps your firm on the right track. If people begin working in undocumented ways, your firm risks governing and securing data effectively. The consequences are two-fold: you lose the data integrity that makes your products, reporting and analysis reliable, and you increase the opportunities of data exfiltration. Diligent management and monitoring of your business activities across service providers is essential to staying secure and competitive.
Time has never been better to get in the cloud. Data centralization and governance is a cornerstone of good cyber-security, and productivity enhancements are being realized every day. Getting to the cloud, however, requires more than signing up online. It should start with a conversation about your business strategies and risk-tolerance and continue through ongoing process improvements that ensure you know what data is there, who uses it and for what purpose, and how to govern it effectively over time.