The recent news that Yahoo! executives had secretly authorized the development of a custom software program to search all of its customers’ incoming emails, in order to comply with a U.S. government demand, brought all kinds of data security and privacy discussions back into the limelight.
Edward Snowden’s decision to leak classified NSA documents in 2013 triggered awareness of just how easy it is for data to escape most organizations. After all, if it can happen to one of the most secretive and security-conscious organizations in the world, then what’s to stop data exfiltration from any corporation?
Some experts in the security industry may be quick to point out technology solutions to mitigate vulnerabilities, while others will say that there is no defense per se, and that resiliency and response to attacks are more important.
Following the alarms set off by the Snowden event, many corporations around the globe began self-audits and reviews of their information security postures and that of their vendors. Vendors, in turn, took to strong messaging about how their solutions had “enterprise security” or “Security You Can Trust.” This was especially true of the vendors that began their business in the consumer world before transitioning to the enterprise. But what the news from Yahoo! (another technology provider with a heritage in the consumer market) points out is that it’s not always the technology that creates the vulnerability. In the case of Yahoo!, it was actually the business decisions being made by its leaders that led to the violation of personal data privacy.
Enterprise security: Key questions to ask during vendor evaluation
Implementing enterprise software and assessing its security capabilities is fairly straightforward when you’re talking about on-premise applications. Doing a security review into today’s cloud-first environment is completely different. Security for a SaaS vendor is about much more than technology. Any company considering implementing a SaaS solution should pay close attention to what the last ‘S’ stands for: service. Take for example a company that may be looking for a “secure” collaboration solution for sharing corporate content stored in an existing ECM system. While it may seem natural to start evaluating the security features of some of the popular consumer file-sharing services you’re familiar with, make sure you dig deep. Before entering into a partnership with a SaaS provider who will be delivering a technology service for facilitating the movement of corporate content beyond your firewall, ask yourself if you have a thorough view of the entire operation. For example:
- Are you able to evaluate the internal business processes of the vendor or do they only point you to “standards” certification such as ISO 27001?
- Does the vendor allow customer-led audits?
- Does the vendor have its own CISO and dedicated security team?
- Can you tour the physical data center in order to evaluate infrastructure, process and personnel security?
Any security professional will agree, true enterprise security is about more than technology. When it comes to choosing a secure cloud file-sharing solution, be sure that the vendor you select is willing and able to provide the transparency required by your own internal security and governance policies.