When you call yourself "the global leader in secure content collaboration," you can't afford security gaffes.
Huddle, a SaaS tool used throughout the U.K. government, learned that the hard way when a BBC journalist logged into its system and was redirected to the wrong account. Imagine his shock when he realized he had access to confidential KPMG financial data.
Luckily for Huddle, the journalist left the sensitive information untouched, but he wasn't about to leave the story untold. The world soon knew of Huddle's head-scratching glitch: When two users signed on during a 20-millisecond period, they received identical authentication codes. The first to gain entry could be directed to either user’s account.
Of course, Huddle acted quickly to fix the flaw. But the security mistake left its mark on Huddle's reputation, especially, no doubt, among flagship clients like KPMG.
Security protocols to implement pronto
Although it's easy to point fingers at Huddle, other cloud service providers (CSPs) should take the chance to review their own security operations. Without the following four security processes, they're but one opportunistic hack away from a storm of upset clients, lawsuits, and unflattering media attention:
Multifactor authentication: Password-gated portals are the norm among cloud-based services, but passwords are far too easy to crack or steal. In addition, CSPs should require a secondary, and perhaps even tertiary, form of authentication. Be it a phone-based approach or a token device, a multifactor login system is part and parcel of the security responsibilities that infrastructure-as-a-service, platform-as-a-service, and software-as-a-service providers share with their clients.
Patch management: There's a reason your Windows or Mac computer constantly wants to install security updates. Software providers use patches to plug security holes found or created by hackers before they infect other systems. Without patch management systems in place, CSPs are at risk of malware and, more common today, ransomware. The bigger the CSP, the more likely it is to become a hacking target, making patches all the more important.
Credential management: Companies often share login information internally, but that leaves the keys to their kingdom in many hands. Eventually, that information could get in the wrong person’s pockets. Ensuring each user has his or her own credentials helps CSPs hold users accountable for their behaviors. It also prevents what happened when Amazon Web Services’ S3 buckets leaked due to misconfiguration. Because IaaS companies manage servers and hardware for downstream PaaS and SaaS providers, they have a particular responsibility to manage credentials carefully.
Key management: Picture a cul-de-sac where every resident knows where the master key is stored that can unlock any house on the street. What happens when one person moves away but the locks aren’t changed? That master key, used to decrypt encrypted data, could later be used to break in by practically anyone. This is often how CSPs unknowingly manage their security keys. Key management systems are critical and can save an organization in the event of a breach of third-party cloud systems that the organization may not control.
Communicating your security steps
Just as IKEA provides detailed setup and use instructions for its customers, CSPs must share security best practices associated with their systems. This includes explaining their own security protocols to clients and prospects. Not only is transparently communicating security features the ethical thing to do, but it can also boost sales through greater client trust.
To get the word out about your cloud service's security, start with these three strategies:
Draft a public-facing communications strategy: You already have a website, so use it to educate people on your security measures. You don’t have to give away the recipe to your secret sauce, but do pull together a whitepaper outlining your services and tying them to security best practices. Your sales, marketing, and technology teams may want to create a security toolbox of whitepapers to reflect different industries' and environments' security needs.
Arm your sales force with detailed protocol content: Every salesperson for your company should be able to prove to prospects that your security protocols meet their compliance challenges. Again, consider creating a series of whitepapers that map out your processes for technical personnel, auditors, vendor risk managers, and C-suite parties. Technical jargon won't help most businesspeople, and most technical roles will expect more than surface-level explanations.
Develop third-party audit reports: The best assurance of your company's security comes from a third-party audit. Be sure that your report not only provides external validation of your protocols, but also explains how they apply in the real world. For example, the SOC 2+ report offers enhanced reporting that can address multiple compliance and assurance needs. If your CSP provides financial services in the state of New York, such a report should show how you meet its financial cybersecurity standards through features like multifactor authentication. Or if your company deals in medical data, the report should prove that your protocols align with HIPAA standards.
CSPs operate in a world where trust is golden. But like real gold, that trust can be easily contorted or broken by breaches or other security flaws. Maintaining or mending trust takes a twofold approach: proper protocols to deter cybercrime and smart reporting to ensure clients know they're protected.