A recent blog post by Softchoice security expert Stephen Perciballi outlines the challenges faced by organizations that use third-party services to store their data. He points out that while it’s not unusual for companies to spend thousands, or even millions of dollars securing their corporate data center, a single critical file saved by an employee to a less-than-secure consumer Cloud solution circumvents it all.
IT managers are well aware of this risk and worry about hackers getting hold of user login credentials, and the potential for viruses, Trojans and malware to infiltrate sensitive corporate information. In the worst-case scenario, these propagate right up to the server level in a DDoS attack – to bring it all down.
The fact is users enjoy the collaboration and productivity third-party Cloud SaaS apps provide. And all they need is a credit card to access an app like Yammer from the office, cottage, or coffee shop. This puts IT Managers in a bit of a quandary. Do they take the unpopular but safe approach and block Cloud SaaS apps altogether? And is that even possible? Or, do they accept these changing times – and a changing workforce – and work with users to make access to third party Cloud SaaS apps secure?
There are several basic questions you must ask of any third-party that has access to your corporate data in this way, including:
- Who has access to their environment?
- Where is the environment being stored?
- What is the change control around it?
- Are SSL and HTTPS protocols (data encryption) going to be satisfactory for data security requirements/regulations?
- What level of ISO certification does the provider have?
For example, ISO 27001 certification demonstrates and ensures security best practices and a managed approach to business information protection including risk, governance and compliance. We strongly recommend that third-party cloud providers that you deal with are ISO certified — you can validate their certification with ISO.
Once you understand the security measures each SaaS provider has put in place, you can decide whether you need to implement additional measures of your own. For example, perhaps you’re satisfied with the SaaS’ security protocols, but their data encryption practices aren’t secure enough for your needs. If so, there are technologies that offer protection for users and data flowing through third-party SaaS applications that align data encryption to your standards.
Symantec O3 for example, supports most public cloud applications, giving you complete visibility and control over the what, who and how of information movement. It is particularly ideal for situations where data is highly sensitive, such as financial or healthcare information when security is a top priority.
Key Benefits of Symantec O3
- Helps organizations manage risk while taking advantage of business agility and cost advantages of the cloud
- Improves security while preserving simple and convenient SSO access for all users
- Mobile-aware architecture eliminates “side-door” access and protects data downloaded on mobile devices
- Provides out-of-box support for existing identity infrastructure and applications
- Simplifies and lowers the cost for cloud compliance audits and forensics
The bottom line
In today’s workplaces, users want access to apps. And third-party cloud apps are attractive to employees. So rather than fight what is arguably a losing battle, it’s far better to get ahead of the trend. Familiarize yourself with the apps at play, and assess the risks and challenges each delivers, and then take the necessary action to make them safe.
Do you think the days of IT being a department that implement controls, are gone? Let us know in the comments and one of our security experts will get back to you.