Four Questions Manufacturers Must Ask About Cloud Security
Manufacturers handle sensitive data each and every day. This includes test and quality data, warranty information, device history records and confidential engineering specifications. Trusting that data to a cloud-based application or cloud services provider is a major step that requires knowledge of the security risks and advantages of cloud-based software.
Consider the four questions below as a guide for discussing infrastructure and operations with cloud providers.
1. What do you do to keep my data safe?
The answer should be long and multi-faceted. No single tool will defend against every kind of attack, so cloud providers must deploy multiple layers of defense using internal systems, protection provided by tier 1 cloud platforms and security service providers. All of these elements come together to provide complete protection and should include:
- Physical Defense. Cloud providers should exercise tight control of access to the physical devices on which the software systems reside, with independent auditors attesting to the safety of this access.
- Barriers to Entry. Firewalls built into the cloud service can limit access to ports managed by the application. Unneeded ports should be blocked.
- Password Protection. The best-designed cloud applications allow your organization’s identity management system to provide authentication and password management. This should also support two-factor authentication if your internal policies require it. Some of the more advanced systems can also provide an identity management service as an alternative to your internal solutions.
- Application Firewalls. Most enterprise-class application designs will include a Web Application Firewall service to defend against denial of service attacks and other types of malicious access.
- Activity Monitoring. State-of-the-art cloud platform providers continuously monitor for suspicious activity that could be the result of hacking or malware. In best case scenarios, warnings are sent automatically and steps are taken to protect the data and the integrity of the platform.
- Malware Monitoring. Both the application provider and the hosting platform provider must run active checks for malicious code to ensure each piece of code that is executed matches the published signature for that code. Be warned: this is a step that many providers have not migrated to yet.
- Code Standards. Good security starts with good code. Security standards must be included in the system development life cycle, governing every aspect of it.
- Third Party Code Scanning. The most advanced application providers use a third-party firm to scan code looking for opportunities to improve security and look for known vulnerabilities. Ask for details about this, as there are many different levels of scanning available.
- Data Encryption. Generally accepted practices for data encryption provide different options for data in different modes. Data in transit can be encrypted using industry standard encryption through the browser. Additionally, APIs that access the data should use encrypted data and include encrypted tokens. Encryption of data at rest protects against accessing data from outside the application’s control.
2. How do I know that my data can’t be accessed by other customers?
There are many ways to ask this question: Do you mix my data with other companies’ data? Can other people see my data? What’s your database structure for each customer? The answer to each of these is data separation. The system architecture should ensure separation of customer data, usually by individual factory or site.
3. What do you do to prevent the data from being hacked and stolen?
Hacking or stealing data is the number one security concern of most people considering a cloud solution. According to the latest “Data Breach Investigations Report” from Verizon, approximately 50 percent of all security incidents are caused by people inside an organization. Good user management and password security policies are the best way to prevent these types of attacks.
For preventing external hacks and data theft, the system must be architected to prevent as many types of attacks as possible. Also, application providers must use internal personnel and external consultants to run frequent penetration testing. Be sure to ask about penetration testing, including both the frequency and the methodologies used.
4. How does cloud security compare to on-premise security?
There is a common misperception that a set of servers running on-premise at a corporate office is more secure than a cloud-based application. Owning the hardware and software often gives a false sense of security as most on-premise systems fall far short of the security that the best cloud providers have deployed.
For example, the cloud storage system utilized by my company was designed for 99.999999999% durability and up to 99.99% availability of objects over a given year. That design and those numbers are virtually impossible to duplicate with an on-premise solution. To deploy tools like these in an on-premise environment would require large investments in infrastructure and personnel.
Ask yourself: how big is your security team? How much is your budget for data security? Then remember that the best application providers and data centers have large, dedicated security teams that operate 24 -7. In the end, the best cloud software companies have dedicated more time, resources and budget to securing systems.
Srivats Ramaswami, CTO at 42Q, has worked at both OEM’s and contract manufacturers. His expertise includes the architecture and implementation of IT solutions, making the global supply chain visible and more efficient. Srivats is now responsible for customer acquisition and engagement, technology development and deployment for 42Q.