How to know your software vendor is serious about security
by Sue Poremba, Central Desktop, June 2014
According to a recent survey by Bitglass, more than half of large companies and a third of SMBs are avoiding cloud adoption. The reason is simple: companies of all sizes are not convinced the cloud is secure.
“Concerns about security are not only not decreasing; they’re increasing. A previous report from October 2011 indicated 25 percent of businesses expressed some concern over cloud security, but that figure increased to 42 percent in July 2013,” Chris Talbot wrote in a Talkin’ Cloud article.
Searching for cloud security
No matter how users feel about security, cloud computing is only going to grow. Gartner predicts that cloud computing will be the bulk of new IT-related spending by 2016, which follows the growth of mobile technologies and the rise of the global workforce. Cloud adoption will be inevitable for most companies, so the time has come to face the security questions head on.
Nothing connected to the Internet will ever be 100 percent secure. However, when IT departments and management work closely with software vendors, they can develop solutions that add layers of protection for data stored in cloud formats. That starts with knowing whether or not your software vendor is on the same page as you when it comes to cloud security.
Establishing an evaluation process
Businesses should have an established process for evaluating risk, evaluating vendors, and performing due diligence before signing a contract with a cloud vendor, says Paul Hill, senior consultant with SystemExperts, a network security consulting firm specializing in IT security and compliance. “If the business does not have experience doing this, it should consider engaging an experienced third party to assist in the process.”
There needs to be transparency in the process, Hill adds. The vendor needs to forthcoming when it comes to its security practices and procedures. That includes how often it conducts security audits.
“Some vendors will only provide a copy of an annual certification or compliance letter, while other vendors are willing to share detailed reports performed by a third party assessor,” Hill says. “Unfortunately, a willingness to share details is not always an indicator of how secure the vendor actually is. It can also reveal overconfidence, or a lack of understanding how sensitive the information contained in an assessment may actually be.”
Questions to ask
Software vendors who take security seriously want clients to ask questions about security practices. But not everyone is familiar enough with security basics to know what those questions should be. According to Peter Lipa, regional director for Sticky Password, an encrypted password management company, here are some concerns that should be addressed:
- Encryption: What algorithms are used for backend data storage?
- Does the vendor have access to my data? If so, which vendor employees have access? What is the vendor’s screening policy for those employees?
- How will my data be stored and protected?
- Authentication: what type of authentication is required (i.e., single factor or two factor)? If the authentication system involves passwords, then how does the vendor handle passwords (are passwords sent to users in plain text, etc.)?
- Access control: How are the various levels of access granted and controlled?
- Basic vendor network security, such as firewalls and antivirus software
- Data center physical security
- Compliance with various regulations if needed – Sarbanes-Oxley Act (SOX), Health Insurance Portability. If your company uses credit cards, is the vendor PCI compliant?
Multiple vendors may give similar answers. If that’s the case, Lipa suggests asking a few more questions:
- Do the vendors have experience in providing the specific solution they are proposing? Can the SMB afford to be the test case?
- Is the vendor able to provide the support plan that you need? Even an SMB can have requirements for 24/7 support for five 9s reliability. For others, a next business day response is more than enough.
- Does the vendor meet any/all necessary regulations, compliance or certifications the customer needs?
- Is the vendor able to provide multiple services, thereby saving the SMB from the trouble of having to contract with various providers?
Finally, don’t be afraid to ask for recommendations from other business owners and IT professionals. In the end, you have to be able to trust the vendor to provide a level of cloud security your company needs.
Founded in 1994, SystemExperts is a premier boutique provider of IT compliance and cyber security consulting services. We help clients see the big picture and design solutions to meet their comprehensive security needs. We are dedicated to providing unmatched personal attention, distilling problems to their root causes and recommending what’s appropriate for our clients. We have built our reputation on providing practical, effective IT security solutions for securing enterprise computing infrastructures.