Myths, Misconceptions and a Modern Approach to Cloud Security

If you’re friends with anyone in IT or data management on social media, you’ve seen this meme: “There is no cloud.  It’s just someone else’s computer.”  And while that may be marginally true if we’re talking about simple file storage services like Dropbox or Google Drive, for the most part it’s a wild oversimplification that can cause real confusion and mistrust when we’re talking about robust Software-as-a-Service (SaaS) platforms like Acumatica or Ascentis.  How can informed buyers see through the myths surrounding cloud security and feel confident that they are choosing to partner with a solid cloud solution?

Providers of cloud-based enterprise resource planning (ERP), customer relationship management (CRM) and human capital management (HCM) applications develop complex, multi-layered security controls to protect their customers’ data from unauthorized access.  As you evaluate SaaS applications, you should evaluate both the application and the provider to make sure your data is secure and protected.

From the Application

• Encryption: The application should encrypt all user-unique IDs and passwords, along with data in the resulting connection, with industry-standard protocols and ciphers. Look for token-based and two-factor authentication.
• Application Access: User data should be separated from application data. End-users should not be able to access the database or other infrastructure components that underlie the application.
• IP Address Restrictions: Systems that enable restrictions on IP addresses can help you gain control over who accesses your data, and from where.
• Robust Password Policies: At minimum, your system should give you the ability to control your password policies, including length and character requirements, expiration timeframes, variability from prior passwords, etc., as well as provide account lock-out after a number of unsuccessful attempts. Companies that want more access control can look at systems that enable multi-factor authentication using a physical token.
• Flexible User Roles and Idle Disconnect: Modern cloud systems enable customizable permission configurations, allowing you to control access to data at the individual role level. Audit trails track user ID and timestamps for all changes, providing visibility and traceability.  Finally, idle connection detection and browser locking prevents unauthorized access from unattended computers.

From the Provider:

• Continuous Monitoring: Your provider should utilize Intrusion Detection Systems (IDS) to identify malicious access attempts, including logging and investigating unauthorized connection attempts. Tools like enterprise-grade anti-virus software is also essential.
• Physical Access and Separation of Duties: You should feel confident with the employees tasked to work in/around the data centers that house your essential data. Contemporary cloud providers separate job responsibilities to ensure that employees have access to only the data they need (similar to the concept of access restriction by role that they recommend for their users).  Their data centers should include multi-layered physical security, including ID cards, biometrics and single-person portals, as well as robust door alarms and on-premise physical security measures.
• Performance Audits and Security Certifications: Regular audits, both performed in-house and with third-party firms, not only provide an objective way to gauge risk, but also contribute to a company culture that values adherence to security processes and protocols.

When it comes to data security, there are certainly challenges posed by cloud-based solutions.  However, that doesn’t mean that SaaS solutions are inherently riskier than more traditional on-premise solutions.  As you evaluate potential cloud-based ERP, CRM or HCM tools, investigate the security features inherent in the application as well as the processes implemented by the provider.  Robust cloud solutions include security features that are natively woven into the application, and modern cloud system providers consider their commitment to security to be a cornerstone of their business.