It’s possible someone is trying to hack your website right now. The good news is they will fail because of the security framework you have in place. You have just prevented your next data breach ─ and the next one and the one after that. And you probably won’t ever know that your website was attacked (that’s the bad news).
Cybercrime is like the destructive force of flowing water, eroding defenses until it finds or creates vulnerability and spills through. Anticipating where the dikes, dams and levees need to be ahead of a breach requires constant attention. Still, they occasionally fail. The question you have to ask yourself is what are you prepared to do to keep your data safe – continuously safe – from attacks next week, next quarter and next year.
The Argyle Executive Forum queried its 3,500 CIO members from billion-dollar-plus companies and reported last November that 34 percent of respondents had security breaches in the prior 12 months.
But, at least two-thirds said they did not, which gives us reason to make a best effort.
Whom Can You Trust?
Every CIO and IT systems manager will earnestly say that security is a priority. However, it’s probably one of many business technology and IT infrastructure priorities battling for attention and funding. Keeping pace with new monitoring and detection tools, firewall maintenance, mobile device policies, compliance audits and all the rest is overwhelming internal staff resources, leaving little time for innovation. Data security may be your responsibility to ensure, but going it alone may be adding to risk.
Many still debate the pros and cons of integrating cloud technology into their data security and management strategies. The industry has matured to a point where, with careful vendor selection, the “pros” are overshadowing the “cons.”
In his 2014 predictions blog (Cloud Computing Predictions for 2014: Cloud Joins the Formal IT Portfolio, December 2013), Forrester Research Inc.’s James Staten, vice president and principal analyst, Infrastructure & Operations, wrote that “if you’re resisting the cloud because of security concerns, you’re running out of excuses.”
The Cloud Can be an Advantage
Since cloud service providers (CSPs) are not in the business of writing mortgages, operating health clinics or running professional sports teams, they can focus on their competencies, which are providing IT infrastructure and cloud services as a business. Better CSPs will integrate security into their core competencies and all aspects of operations. The best providers will work directly and transparently with clients to tailor the optimum security solution for their particular and unique requirements.
An often overlooked advantage of cloud is that the infrastructure is optimized on specific platforms. Compared to complex multi-vendor architectures, incompatible applications and disparate data repositories common to most internal data centers, the cloud environment is relatively simple and homogeneous, composed of best-of-breed products and technologies. This simplifies monitoring and maintenance a great deal, reducing opportunities for hackers.
The right CSP offers many other security benefits and advantages as well. Here are a few things to look for:
- A security- and compliance-minded CSP has people dedicated to and accountable for the program.
- It submits to annual independent auditing under the SSAE 16 , ISAE 3402 and AT-101 audit standards. Compliance with the Payment Card Industry Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA/HITECH) and Sarbanes-Oxley demonstrates that the CSP has taken steps necessary to serve customers subject to strict data security standards.
- CSPs should have no secrets from customers. Audit reports and security policies and procedures, as well as its availability and performance service level commitments, should be available. Prospective customers need to know where the CSP stores data in order to assess potential for jurisdictional issues.
- A CSP that owns, operates and maintains its own IT and cloud infrastructure is generally preferable to one that does not. The more geographically dispersed data centers it operates, the better. That CSP is in control of its own destiny and that of its customers.
- Review all aspects of system architecture – network capacity, redundancy and security; data storage and back-up; and compute capacity. Ask who the CSP’s product and technology partners are – this says a great deal about the quality and integrity of its systems – and what its maintenance processes are.
- Physical infrastructure and access control are no less important. Must-haves include highly redundant power distribution system generators, highly efficient cooling, proximity card access with PIN and/or to biometric (fingerprint) scanning, secured hardware, video surveillance and on-site trained staff 24/7/365.
Secure Today, but Tomorrow?
The worst thing that can happen with data protection is to get it and forget it. The best thing is that in three or six-months’ time (or whenever you feel the need) the CSP is proactively reviewing your business with you, asking what has changed that might leave your data vulnerable or current services inadequate. Your data access interactions may not be as initially thought; perhaps a more secure, efficient and/or less costly approach to services is appropriate.
As the flowing water analogy in our opening suggests, cybercriminals are relentless, always on the offensive, always scheming to erode fortifications that protect data from a breach. All they need to keep trying is the hope that you will not meet their evil intent with equal defensive energy, for whatever the reasons. The risks and the demands of the challenge are simply too great to go it alone.