Workiva is a company born in the cloud, with information security a strong part of our DNA.
We constantly strive to achieve new heights in our information security program. After attaining and maintaining our SOC 1 for the last six years, we completed our first SOC 2 attestation. For Workiva customers, this gives additional, third-party assurance that we take our responsibility to protect their data seriously and will continue to respond to new threats and expectations as they arise.
Because more companies are using the cloud than ever before, security is one of the most critical aspects to consider when choosing a cloud-based vendor. Yet understanding how to fit cloud vendors into traditional risk management and cybersecurity programs is still a pain point for many organizations.
According to surveys such as the Cloud Computing Survey 2015 from IDG Enterprise or the RightScale 2016 State of the Cloud ReportTM, anywhere from 72–95 percent of companies have adopted cloud technologies. Studies such as the March 2016 Business @ Work report from Okta show soaring rates of adoption for individual software-as-a-service applications.
Today, I’d like to share eight important security topics to discuss with your own cloud vendors. Download a digital version of this list here.
Systems and applications must be assessed for vulnerabilities constantly. Why? Because systems need to be continuously evaluated to ensure that newly discovered issues or changes in configuration have not opened a crack in the armor.
Contracted external assessments provide a level of qualification and independence that can give additional assurance, but because of the costs involved, an internal vulnerability management program is also needed to maintain the necessary agility.
Encryption is a large part of cybersecurity and understanding how confidential data is encrypted at rest and in transit is important for even non-IT types. Encryption is one of the most difficult things to implement correctly. Many libraries that can be pulled in to make it easier have default parameters that can weaken the confidentiality posture. A solid foundation of understanding of where data is (or isn’t) encrypted and the specifics about the algorithm and its parameters is crucial to preventing a potential blind spot. Know how all of your vendors handle encryption.
2. Identity and access management
Align access control policies and procedures with contractual requirements. Understanding who has access to systems that hold customer data is key to ensuring those systems are appropriately secured. In cloud infrastructures, many small services may work together to provide an overall product. Running a tight ship regarding how access is granted, reviewed, and terminated prevents openings for accidental or malicious insider threats.
Control access and permissions. The more people that hold high-level permissions, the more opportunities there are for system compromises, social engineering, or insider threat to gain a foothold. Keeping access at the appropriate level for the job function being performed and adjusting if that function changes, makes for a much smaller attack surface.
3. Application development
Organizations continue to move toward frequent and incremental release cycles. Understanding how they are delivering the same amount of assurance in that cadence as you’d expect in a more traditional release cycle is key to getting a picture of how data security and compliance issues will be prevented as the service is developed.
While using cloud partners or managed service providers can go a long way toward managing security and compliance issues, it is no substitute for a solid information security program and in-house expertise.
For any vendor, its systems should be built in such a way that they can survive disruptions in underlying infrastructure. Getting up-front commitments on this can help hold a vendor’s feet to the fire if issues arise. And systems should be monitored regularly to confirm that system uptime and operational status is meeting expectations.
5. Regulatory compliance
Use a framework such as the NIST Cybersecurity Framework to ensure that all potential areas of concern are addressed, and are addressed in an appropriate manner.
Perform risk assessments in conjunction with the selected framework(s). Policies and procedures aren’t worth much if they aren’t being monitored for their effect on reducing risk. Risk assessments of applications, systems, vendors, and other enterprise-level issues creates a feedback loop to continuously improve data security posture.
Having third-party assurance of an organization’s controls is highly valuable. Make sure that vendors provide a report, such as the Service-Oriented Controls (SOC) report, that includes not only their review of their own vendors but their internal controls. This ensures that you have independent verification of the vendor. SOC 1 reports help with SOX compliance and financial regulation, and SOC 2 reports give additional detail from an infrastructure perspective. In either case, ensuring the report is Type II and performed by a PCAOB-accredited audit firm, gives you both peace of mind and due diligence assurance.
Ask how a vendor monitors and reports suspected incidents. Systems and applications must be configured with sufficient logging to ensure that strange behavior can be detected quickly. Procedures should be in place for notifying relevant parties and addressing any potential exposure.
Be especially demanding with confidential data. Keep sensitive data in the hands of as few people as possible. Take the small steps to reduce all sorts of risks. Procedures for ensuring this data is handled appropriately should be communicated and monitored.
It’s more important than ever to assert formal policies regarding how personal information is collected, used, and discarded exist to make sure all parties understand their obligations.
7. Security operations
Dedicate resources to monitor the security and health of your systems and applications. Someone needs to be at the wheel, and things such as security information and event management (SIEM) software or managed service providers can alleviate some of this burden. Ensuring there is an appropriate capability, with visibility and open lines of communication, can keep a minor bugfix from turning into a major incident.
Ask anyone in IT or information security and they’ll tell you that keeping up with all the different ways you might end up having a bad day (or night) is a Sisyphean task. Starting with an understanding of the business and its objectives and working toward what controls need to be in place is the only tractable way to ensure technology connects to results.
8. Resource planning
Explore using single sign-on to help integrate with existing systems, and be ready to scale as needed. Using a technology such as SAML 2.0 can relieve the headache for IT and end users alike. Reducing passwords makes users happy, and having a single point of control for system access lets IT sleep better at night.
Continue to plan for the future and make long-lasting decisions upfront. Have you done everything in your power to control processes for segregating environments, to protect data, and to provision access that allows you and your company to move at the speed of business?
Things such as separating development and production environments, or streamlining the process of adding users or changing their entitlements, grease the skids and help fit each cloud service into an overall IT management processes.
Understanding the importance of cloud security
Every company is a security company.
The cloud is here to stay, and cloud technology is only going to grow. Threats will continue, and security must evolve and adapt as cloud infrastructures become the norm. Whether you’re using a hybrid of traditional IT security and cloud security or working toward a full cloud system, start with a solid understanding.
Own information security and take responsibility. Hold your vendors accountable, and eliminate hesitations from either side. Start by assessing these eight important topics with your vendors, and continue to keep security as a top company priority.