Darren Conner, Chief Technology Officer
Nothing is ever truly safe. That is the uncomfortable truth about our world and certainly, connected information systems. It’s uncomfortable to think, and hard to accept, but it is true. Now that we have acknowledged that, we can talk about what real security is and how you achieve it. The benefits of connected devices, services, and data have had a tremendously positive effect on our ability to accomplish our work, service our customers, and gather new information. Like any ecosystem, this powerful new ally comes accompanied by a sordid underbelly that appeals to ill-intentioned opportunists and charlatans alike.
The systems we use today function very differently from those most people had access to as recently as the early 2000’s. Fast internet connectivity used to be optional for most businesses and has now become a necessity. In 2003, while working for a TPA firm, we started collecting year-end data through a web application. We were one of the first TPA firms to do so and it made the company more successful as we improved it in the subsequent years. Although it spawned new ideas and possibilities, it also introduced the new reality that the most sensitive information that we collected from our clients was now connected to the world. The web application had given the data its own doorway. As time went on, we did what most small businesses do with sensitive information and secured our systems as well as we could with the tools available at the time. Our potential attackers were limited, our firewall was top notch, and we encrypted all traffic to the site.
Today, as a software company, our approach to securing information has evolved significantly. Unfortunately, there will never be a final solution to security problems that will stand the test of time because the secret sauce for good security isn’t any one widget or device. The real secret is vigilance. In order to ensure that something is as secure as you can reasonably make it, you need to constantly seek out new information and solutions and, more importantly, closely monitor the traffic to your site. Without this high level of monitoring, someone could breach your company’s systems and steal information. If they didn’t do any damage, you probably wouldn’t even know that it happened!
So, in an ever-changing environment, how are business owners to protect their data? If you already have a full workload or a business to run, a high level of diligence in guarding applications isn’t practical to maintain. Consequently, more and more companies are turning to cloud vendors for Infrastructure and Software as a Service (IaaS and SaaS, respectively) solutions for their critical data and workloads. These vendors offer the promise of technical expertise baked into the cost of their services and are expected to keep up to date with modern network security improvements allowing you to offload this burden. Although many of these providers do a much better job of securing systems than the average small business, how can you as the customer know their level of diligence when it comes to securing your data?
Giving your trust to a vendor without any proof that they take security seriously is a dangerous play. Some companies assume that vendors know what they are doing, others simply don’t know what questions to ask, and a much smaller number thoroughly vet them. Because of how involved this process can be and the amount of information needed to be digested to understand another company’s operations and security, an auditing standard has evolved over the years to give a consistent representation of how providers stack up. The latest iteration of that standard for security and confidentiality is the Service Organization Control 2 report (SOC 2). The SOC 2 Type II report is produced by an external source who requests the numerous policies and procedural documents required and then monitors the companies functions in adherence to these procedures for a minimum of six months. For most companies, undergoing the SOC audit is an annual event, so be sure that if you are provided with a report, it is a current one. For banks, trust companies and larger firms, the SOC report is considered a requirement if they work with an outside vendor who is hosting confidential information. Many small and mid-size companies also consider it a necessity for doing business with a service vendor or would expect significant proof in its absence.
Can you assess a hosting vendor who does not have a SOC audit? You can but the onus is on you to evaluate their processes. Start by asking if the vendor can provide you with a SOC 2 Type II report. If they don’t have one, ask for proof of their security and organizational behaviors pertaining to the data they want to host for you. Don’t take them at their word, ask to see their policies. In the event of a breach, your clients would expect that this due diligence has been performed. Your vendor should also be insured for data breaches and actively monitor for intrusions. Sensitive data should be encrypted at rest and all data should be encrypted for transport. Servers should be patched regularly, and all network endpoints secured with strong passwords. Also, they should prove that an outside party has performed penetration testing on their system and that they regularly scan for known vulnerabilities. It’s just as critical to ask about their operational habits, especially as it pertains to staff members and training. The employee roles that will have access to your information while in their care is just as important as regular staff member education about handling customer data. Can anyone publish updates to the service or is there a documented process for changes that demonstrates control and ensures that quality and safety are taken into account?
This is the vigilance that is required to be truly secure. It’s more than your firewall or website certificate. It is your responsibility to ask the hard questions and it is the responsibility of providers to open themselves up for assessment and critique. If they are unwilling to be candid and transparent about how they protect your data, then there is probably something about it they don’t want you to know. This information isn’t top secret, it’s good service.