‘IT security’ and ‘the Cloud’ in the same sentence can send a shiver down the spine of any IT manager or business owner. It feels like a double-whammy of risk and vulnerability; the nightmare combination of mobile devices that will be stolen and data that someone else has control over.
At the same time, mobile devices and working in the Cloud are an essential part of the modern workplace where people can work anywhere, any time. You must go with the flow of a changing world, but you also need to keep your IT secure.
Taking a step back in time, you might think of the days when ‘IT security’ meant locking down your office network, building a castle wall of security around it. Instead of making your office into a citadel, nowadays you have to create security cordons around each mobile device and around every store of data, wherever they may be. You need castles in the Cloud.
In this article we look first at the security of data and applications in the Cloud. Then we turn our attention to protecting the mobile devices that use these apps and data.
Security of Cloud data and applications
By committing your data to the Cloud, you are dependent on the security provided by your partner, the Cloud service provider. You also have to be sure that your own internal systems protect you against a lapse of security on your part.
Choose your partner carefully
Your choice of Cloud service provider is clearly very important. You need the right company and you need the right service from them. Having a good fit between you and your supplier will help to ensure your security. Or rather, a poor fit may well jeopardise your security.
The first step in this selection process is the Cloud provider themselves. Are they a well-known and highly-regarded business? If you choose Microsoft, Sage or Salesforce, for example, you can be confident that they have good security, sound processes to maintain that security and well-trained staff.
You need to know that security is “designed in”. If necessary, ask your IT provider to check the technical aspects of where and how your data will be stored and the systems in place to protect it. For example, does the provider allow you to use multi-factor authentication or is it SAML compliant, enabling single sign-on?
Choose the correct service
The next step is the selection of the service from that company. If you are using an application, you obviously need to make sure it has all the features you need. That is a given. But you also need to be sure that it is appropriate to your business. Let’s take Cloud file storage as an example.
You could choose a free Cloud storage service. If you can get 10GB of space for free, why pay for it? The answer is that this sort of service, aimed at home users, probably won’t meet all your needs. How will you manage data across your company when each person controls their own account? How do you find out who is sharing your company data with whom, when you have no access to their account? You will be blind to what is happening with your company data. At best it is likely to cause you frustration and worry, at worst it will be difficult to explain to the Information Commissioner after you have suffered a security breach and you find yourself on the wrong side of the GDPR regulations.
At the other end of the spectrum, a security-neurotic business owner might choose an enterprise-level service that has every security bell and whistle that one could wish for. But what is the point if you are presented with a control panel that you cannot begin to understand? Get the level of management, reporting and alerting correct, get the complexity of the software right and you will get the security right.
In terms of the applications you use, check that it has all the reporting you need and that it meets your needs for links and integrations with other applications. Security can break down if people are forced to export data to do analyses or reports, or to transfer data from one system into another.
Maintain your own security
In addition to knowing that your service provider offers the right level of security, you also have obligations to maintain your own security.
You need to be sure that your company processes are appropriate for working in the Cloud. For example, what happens when a member of staff leaves? You take away their laptop and remove them from your staff list, but do you leave Cloud-based systems completely open to them? Do you even have records of which systems they had access to?
This can be a big problem for companies using a number of different web-based services, whether it is access to customer systems or supplier web sites. This is where single sign-on can be a great help. You provide each staff member with one user name and one password. You grant them access to all necessary systems via their single sign-on. You never give them a separate password for these systems. Your member of staff is happy because they only have one user name and password to remember. Your business is much more secure because when you remove their single sign-on, you remove their access to ALL web-based services.
Protecting mobile devices
Mobile devices go hand-in-hand with the use of Cloud services. It’s the modern workplace and it is how people like to work. Protecting these devices is integral to staying safe in the Cloud. After all, what is the point in all that security if it is breached by the first person who loses their phone?
Mobile Device Management (MDM) is now a well-established technology. It provides central management of all company apps and data on all mobile devices, whether you own them or they are staff-owned. MDM gives you control over:
- Devices – all mobile devices must be enrolled on your central management system.
- Applications – you control which apps can be installed on these devices.
- Data – you control the data sources that can be stored on the devices.
With MDM in place you have provable security. When a device goes missing, instruct it to wipe all company information next time it is switched on and connected to the internet. When a staff member leaves, you are confident that all company information has been removed.
Security versus utility
The final aspect of IT security in the Cloud is the balance between security and utility. You have an obligation to protect your organisation by implementing effective security, but you also need systems that are useable. If your security is too tight or too onerous, your staff will find inventive ways to bypass it. This is called ‘shadow IT’, where your IT becomes informal, completely uncontrolled and totally insecure, and it is the complete opposite of your best intentions.
To make your security effective, involve your staff in the planning and decision-making so they understand why it is required. Remember that your people form your ‘human firewall’, and they are a vital component in your IT security.
If you need further help with your IT security, contact the experts at Riverbank IT Management. Call 01235 426700 or Contact us here.