Cloud security is a big concern, right? Especially if you’re in a highly regulated industry with compliance requirements. Yet more than half of adults bank online, according to a survey by Pew Internet Research, which means that banks (which are heavily regulated) rely on cloud technologies for both customer-facing and back-office processes.
While banks and other organizations manage private data in the cloud, hosted applications have become commonplace in the office as well. Cloud-based CRM vendor SalesForce.com, for instance, boasts more than 100,000 customers, and one analyst firm estimates that 41 percent of all CRM purchases in 2013 were SaaS (software as a service) based. In fact, analyst firm IDC states that 85 percent of all software being built today is in the cloud.
With so much of our critical content in the cloud, and the inevitable rise in cloud computing overall, why do so many business leaders still balk at the idea of using the cloud for other critical processes, including transactional workflow? Giving in to fears about cloud security holds many companies back from the benefits of cloud workflow solutions, such as accessibility, scalability and agility.
Much of the fear about cloud security stems from the fear of the unknown, so knowledge is the best way to overcome fear about the cloud. Focusing on the reputability of a potential cloud solution provider can give you the confidence to move forward with a solution that fits your needs.
Needs analysis is an important first step. When most people are asked which of their documents and processes are business-critical, they immediately say all of them. However, when they look at the cost and complexity of the infrastructure and resources, most realize their content and processes fall into three main categories:
1) No risk — While you wouldn’t willingly share a document like an invoice, someone accidentally viewing it probably does little harm to the business.
2) Minimal risk — Unauthorized viewing of a contract or legal document is definitely undesirable, but probably not catastrophic.
3) Critical — Compromised trade secrets, intellectual property and protected health information or other data protected under HIPAA, PCI or other compliance laws can seriously impact, even bankrupt, the business.
Choosing a reputable cloud partner
It goes without saying that you want to partner with the most secure cloud solution. But understanding the relative value of different kinds of documents and processes can help you decide when it’s worth paying a premium for security that goes above and beyond the normal course of business. A reputable vendor will have longevity in the industry and experience working with businesses like yours (e.g., same industry, size or other common criteria) and offer these security capabilities:
• Encryption — Ideally documents in the cloud will never be accessed, but encryption ensures that even if they are, unauthorized individuals won’t be able to see them. Reputable cloud providers can help you secure stored data as well as data that is moving between users or processes.
• IP-Based access restriction — This allows only people at a specific physical location, such as a corporate office, from accessing information. Though cloud is an excellent option for anytime, anywhere access, this capability ensures that the most sensitive data isn’t shared in less secure environments, such as a mobile device connected via free airport or coffee shop Wi-Fi.
• Audited processes — Standard auditing procedures validate a service provider’s reputation and operational maturity, and vendors will share them with you as you do your due diligence. The most valuable of these audits look beyond the physical data center to evaluate policies and processes. To ensure that the cloud provider meets specific auditing standards, some businesses will audit the cloud provider using the same standards implemented in their onsite data centers, but these widely accepted audits satisfy most people:
- SSAE 16 — The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) set the SSAE 16 requirements for cloud service providers. Unlike previous standards, SSAE 16 requires cloud providers to attest to their procedures and policies and then audits them for integrity.
- SOC 2 Also using standards set by the AICPA, SOC 2 audit reports describe the internal controls of the service provider, specifically in the areas of security, availability, processing integrity, confidentiality and privacy.
- ISO 27001 is an information security standard that compares the cloud vendor’s solution against objective security and operations standards. This standard is different than SSAE, which just verifies that a vendor adheres to policies and standards they set themselves.
Incident response policy — If the worst should occur, what will the cloud provider do to provide you with adequate information? How soon? What actions will be taken? It’s important that you feel comfortable with the services the cloud provider is willing and able to provide.
Segregated data stores — Especially for documents that must be secured, it’s important to ask if the cloud software has been built in such a way to allow for multi-tenancy. That is, can multiple entities use the solution without sharing a logical location for the data?
Disaster recovery process — Offsite backup is a minimum requirement. What you really need to know is how fast you can have access to the system in the event of a disaster. Again, there may be a premium for true real-time recovery that may not be necessary for every document. For instance, Accounts Payable may be able to recover from 24 hours without access after a disaster. But an insurance carrier needs to be absolutely certain they are ready to serve customers affected by a disaster.
Uptime monitoring and reporting — Ask providers not only about the monitoring and reporting procedures, but also the level of visibility you’ll have into the findings. Make sure that the procedures and reporting apply to your specific application, not just the data center itself.
“Cloud providers have done the heavy lifting to make sure the environment is physically safe and that the data log is safe,” says Thomas Kernes, director of Cloud Operations at Upland Software. “Recertification is an ongoing process and there is constant testing against the cloud itself for penetration, vulnerability, intrusion detection and other threats to a coherent and viable security posture. Cloud customers don’t have to invest in or worry about those capabilities or contract with all the protection vendors like a cloud provider does. They just need to do due diligence that the vendor is continuing to keep up certifications and assessment.”
Compliance in the cloud
Numerous industries have demonstrated that reputable cloud solutions provide the basis for compliance across all kinds of requirements, including banks, hospitals, schools, universities and government agencies. But even the most reliable software, infrastructure and security tools can be defeated by poor implementation.
As compliance specialists know, software doesn’t make you compliant. The cloud vendor can adhere to all of the principles and provide a service that is certified to meet stringent standards, but the business has to make sure the system is set up and tested to reflect the compliance needs. If user rights are not managed correctly or a business process doesn’t follow best practices, the best cloud provider in the world cannot make a solution compliant.
By choosing a reputable partner and following the appropriate compliance recommendations, building secure, compliant workflow automation solutions is achievable. “Over the past decade, we’ve seen that when people work closely with a cloud provider to understand the ways they can secure their data, they can meet the level of comfort they need to feel their content is secure,” says Sean Nathaniel, GM of Upland FileBound. Due diligence is nothing new for business leaders. In the new cloud reality, it just takes a different set of questions.
This article originally appeared in the December 2014 issue of Workflow.