Data Security And Cloud Providers: Assessing The Risks
Contributed Commentary by Jarrod Medeiros
October 13, 2017 | Research organizations are aware of the potential for cloud technologies to increase efficiency, cut costs, and reduce time to market. However, many are still struggling to understand the risks involved with data security and protecting their own intellectual property. In the wake of the recent Equifax breach, the latest in a seemingly endless string of security incidents, organizations want to ensure they are protecting their assets and minimizing potential liabilities.
Security is a justifiable concern for research organizations. Moving data out of the building requires trust by all parties, which is difficult, especially when sharing data across different countries, offices and individuals. These same concerns can also be placed at an organization’s own internally managed infrastructure. The key in any scenario is to put in place practices that will minimize the likelihood of a security breach.
Assessing risk and putting in place mitigation practices should be part of every cloud-based endeavor. When evaluating cloud software, much of the onus is placed on the vendors themselves. However, organizations need to ensure the data they generate and share cannot be intentionally or unintentionally altered or viewed by unauthorized parties. After all, protecting data integrity and intellectual property is imperative for an organization’s operation and success.
Here’s what organizations need to consider when choosing a cloud-based software vendor:
What type of data will be stored and what risks are associated with it? Organizations should understand this scope first and foremost. If you’re storing personal data about your employees, critical intellectual property, patient data covered by HIPAA, or inconsequential operational data, this will dictate what concerns you should have and how best to mitigate them. It simply doesn’t make sense to spend time and money addressing risks that aren’t justified or don’t exist.
A vendor should have nothing to hide when it comes to their security practices. If they won’t work with you to answer questions about their practices, this should be an immediate red flag that they either don’t exist or aren’t up to standard.
Make sure the agreed system availability is in line with your expectations. Most reputable vendors will have guaranteed uptime with a track record of exceeding this target, alongside a policy of remuneration should this target ever be missed.
Security patches must be applied regularly, APIs should be appropriately safeguarded, and data needs to be encrypted both at-rest and in-transit. Software must be safeguarded against the current range of threats.
Multi-tenant, single-tenant, VPC? How is the data being stored and safeguarded within the vendor’s environment? Each scenario comes with its own risks and rewards. Ultimately, your impact and mitigation plans should be tied to the risk assessment and appropriately addressed.
Ensuring access to the system and the data within it is critical when working with cloud vendors. Vetting procedures for personnel, access to the production system, backups, and any encryption keys all need to be considered—and any one of these could pose a security flaw if not properly addressed.
Aside from local regulations on data residency, vendors should have appropriate plans for multi-site redundancy and ensuring appropriate performance across regions as required.
Software vendors know how to monitor their software and keep it running smoothly far better than any customer; this is a key benefit of the SaaS model. But monitoring for potential security events should also be a part of the package. Remember, monitoring is useless without timely alerting and remediation mechanisms.
Not only should a vendor have multi-site backups, but the ability to quickly recover from an event should be a given.
What happens with your data if you decide to part ways with a vendor? Make sure you have an exit strategy for all potential eventualities, which outlines exactly what to expect if a contract is ended by either the vendor or the customer.
Regardless of where your information assets live, promoting good information security practices throughout your organization is critical to security. After all, security is only as strong as the weakest link. Most data breaches involve stolen passwords, so making sure there aren’t top secret sticky notes around the office!
Organizations need to thoroughly research the software services, which will enable them to best secure their data and streamline the overall drug discovery process. A proper assessment of vendor’s procedures, who controls the data, and protocols is essential. There are certifications to look for such as SOC-II and ISO 27001 which can cover some of the due diligence—and there are also several external consulting services for a more personalized approach to security vetting. But, ultimately, it’s up to the organization to determine what the potential risks are as well as the mechanisms to mitigate these.
Jarrod Medeiros works across the Sales, Marketing and Software Development teams to design a product roadmap for IDBS that meets diverse customer needs. Jarrod has been with IDBS since 2011, and previously worked for EMD Serono, designing and developing recombinant protein processes. He has a background in cell biology, chemical engineering, microbiology and molecular biology. He holds a B.S. in Biology from Northeastern University. He can be reached at JMedeiros@idbs.com.