Is the Cloud Secure? Yes.
This is part 1 of a 4-part series called Breaking the Barrier to SaaS Implementation. This blog series explores best practices in vetting SaaS vendors to ensure data protection and streamlined workflows throughout product design, manufacturing, and lifecycle support.
When deciding to implement a cloud-based solution, many organizations immediately identify security as a major concern. Manufacturers are no different and have similar security concerns as other organizations. In fact, discrete manufacturers prioritize data security as a top concern. At all times, manufacturers must protect trade secrets, proprietary and patented information, customer and employee data, competitive and strategic ERP information, and many other sensitive operational data sources.
The research backs me up. IT professionals say that security is the biggest obstacle for both cloud (at 43 percent) and SaaS adoption (at 37 percent). The 2019 Thales Data Threat Report says that over half of US companies have experienced a security breach, and a third have experienced one within the past year. Plus, when asked to cite cloud security concerns, organizations identified concerns with vendors including:
- Security of my organization’s data if my cloud provider fails
- Security breaches or attacks on the service provider
- Lack of data privacy policies and visibility into security practices.
It’s more important than ever for manufacturers to build trust in a potential cloud vendor by understanding how it addresses their security questions and concerns. Cloud and SaaS security has vastly improved in recent years, as I’ve seen firsthand both as a leadership partner with Gartner and as a technology leader for a financial services company. In fact, I believe that it is no longer a question of whether the cloud is more secure than traditional software, but whether traditional solutions should even be worth considering.
The Cloud is More Secure than Traditional Software Solutions
I truly believe reputable SaaS solutions are generally more secure than the traditional solutions that have been built in the past. To ensure this security, companies must:
- Properly vet and scrutinize the provider’s security measures, and
- Understand and implement their own associated security measures.
It’s not as much about the security of the cloud as it is about an organization’s secure use of the cloud. Unfortunately, some organizations don’t take the time to learn the right questions to ask and don’t consider their own role in security, which can lead to major problems in selecting cloud providers and setting up their company for cloud success.
What’s more, many companies and senior-level individuals still hold outdated and antiquated views on the security of the cloud. I’m not the only one that sees this. A vice president of research at Gartner says, “CIOs need to ensure their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries. Exaggerated fears can result in lost opportunity and inappropriate spending.”
With outdated fears of cloud running rampant and heavy concern placed on the validity of cloud providers’ security practices, companies must begin educating themselves on the truth of cloud security. The first thing to consider is ensuring a shared cloud responsibility with a service provider.
Shared Cloud Responsibility: The Way Forward in Manufacturing
I believe one of the biggest and most damaging challenges with security is a misperception that cloud-based security is solely the responsibility of the vendor. The biggest names in cloud providers—Amazon Web Services (AWS) and Azure—agree that a shared responsibility model truly protects a company’s most valuable and mission critical data. AWS indicates that they keep security of the cloud, while an organization has the responsibility of managing security in the cloud. This means that a customer using AWS is responsible for:
- Their data
- Platform, application, identity, and access management
- Operating systems, network, and firewall configuration
- Client-side data encryption and data integrity authentication
- Server-side encryption
- Networking traffic protection
When considering SaaS solutions, organizations always have their own responsibilities for data security and identity and access management. This includes:
- Classifying and managing data to ensure employees appropriately use SaaS platforms
- Leveraging security capabilities offered by the solution to address their unique requirements
- Assigning proper roles to users, such as “administrator” or “basic user” and following through on updating these roles as a user’s responsibilities change
- Corporate security, including the security of company-issued devices such as laptops and phones.
Many SaaS solutions today also offer increasingly enhanced identity and access management capabilities. The most common of these include multi-factor or single sign-on, giving companies an added layer of security.
Filling the Toolbox
When done correctly, it’s no question that cloud-based solutions are more secure while providing multiple other business benefits compared to traditional, on-premise, perpetual licenses. Gartner indicates:
- 60 percent of enterprises that implement appropriate cloud visibility and control will experience one third fewer security failures
- 60 percent fewer security incidents are expected from public cloud workloads rather than traditional data centers through 2020
- 95 percent of cloud security failures will be the customer’s fault through 2022
It’s also clear that not all SaaS solutions are built the same. In my upcoming blogs, I will provide valuable tools for manufacturers in their research processes to ensure data security:
- Moving past irrational fears about the cloud by putting it in its proper perspective
- Compliance regulations and laws to fully understand
- What to look for in a contract with a SaaS provider
About Kip Peters
Kip Peters has over 25 years of experience in information assurance, data security, risk management, and technology leadership. He is an expert on compliance regulations and security laws and how they apply to both cloud computing and to high-risk industries including manufacturing, financial, and defense. As the Director of Risk Management at Vertex, Kip’s primary goal is to ensure we build and maintain our software platform to be the preferred solution in helping manufacturers collaborate with their 3D data while protecting their intellectual property.