Cloud Leaders Reveal Their Top Cloud Security Priorities, Compliance Focus

Cloud Leaders' Top Security Priorities

According to Intel Security, 49 percent of cloud security professionals have slowed cloud adoption due to a lack of cybersecurity skills. Perhaps more alarmingly, 36 percent say they’ve identified gaps but are moving forward anyway. With a proliferation of mission-critical cloud applications and more data being stored, accessed, and transmitted than ever before, it’s incumbent upon organizations and their security leaders to reduce vulnerabilities and improve security posture. So what are the top cloud security priorities for organizations today?

In the webinar, “Cloud Leaders Q&A: Overcoming Cloud Security Challenges and Enabling Trust,” four cloud leaders discussed their best practices, challenges, and solutions for cloud security, compliance, and ROI today. The panelists were:

  • Steve Early, Global Administrator, Novanta
  • Mike Ackerman, Senior Technical Architect, Coastal Cloud
  • Andy Louca, Head of CRM and Business Information Systems, Thomson Reuters
  • Joe Stolz, Business Systems Manager, Midland IRA

How Are You Using Cloud Applications in Your Business Today?

Novanta uses Oracle as its ERP and Workday for HR, along with document-sharing on Sharepoint. But Steve’s focus is Salesforce, so he discussed the wealth of information stored within the platform. This includes design specs, the design approval process, key sales objectives, and traditional pipeline management – accounts, contacts, etc.

“We built out some custom processes on the platform that, in some cases, used to be done on spreadsheets or, in other cases, weren’t done at all,” said Steve. “But you know what happens when people use spreadsheets – you might be looking at one that’s stored on a server somewhere while somebody’s already downloaded it and they’re in the process of editing it. You have all these versions floating around and nobody knows which one is current. It gets really hard to manage.”

Similarly, Thomson Reuters finds a wide range of use for cloud applications – from Workday to collaboration tools like Jira and Jabber. And they use Salesforce in a combination of ways, from sales to a customer portal for documentation.

“We’ve got very much a cloud-first policy around the tools that we deploy, both internally facing and externally facing,” Andy said. “It becomes an ecosystem, really.”

What’s the Most Important Issue on Your Cloud Security Roadmap for the Year – and How Has That Changed Since Last Year?

For Coastal Cloud, the No. 1 cloud security priority is training. Since the consultancy is constantly growing, it’s important to have a repeatable process for bringing new hires up to speed, and for reinforcing and updating training on at least an annual basis, said Mike. For him and others like Joe Stolz of Midland IRA, KnowBe4 has become a valuable tool in helping train and test its workforce on their knowledge and awareness of common threats like phishing and social engineering.

“We’re putting a lot more effort into training our people,” said Steve Early,” because you can only do so much with antivirus software.” The training program Novanta uses keeps track of what users get wrong so the security team can set priorities for revisiting and improving their training programs.

“We think it’s working, said Steve. “People are getting emails from vendors saying, ‘You’re scheduled for security training, click here to start,’ and employees are forwarding those to our help desk saying, ‘Is this spam? Should I click it?’ It’s a good indicator they’re paying attention.”

For Andy from Thomson Reuters, 2017 was spent on gaining visibility across the organization and across cloud applications. Now, he’s focused on automating, filtering, and acting on the insights delivered by that visibility.

What Security Measures Have You Put in Place to Prevent Loss of Confidential Data?

With breaches constantly in the headlines and ever-increasing amounts of sensitive data stored and accessed in cloud applications like Salesforce, it’s important for organizations to put in place strategies and tactics to prevent the loss of that confidential data. Among the approaches used are:

  • Wombat and KnowBe4 for security training
  • OwnBackup for backing up data and metadata
  • Closing up vulnerabilities by, for example, disabling Microsoft Office macros and requiring the use of Chrome
  • Disabling API access that has not been explicitly whitelisted
  • Imprivata FairWarning in conjunction with Salesforce Shield Event Monitoring to monitor for abnormal user access or activity and proactively alerting for quick remediation. “We have great employees who do an amazing job,” said Joe. “While we do trust them, we want to verify that trust.”

What Specific Regulations or Security Frameworks are You Focused on Meeting?

Mike Ackerman is a big fan of the NIST Cybersecurity Framework, which provides guidance for private sector organizations and standards and controls around preventing, detecting, and responding to cyber attacks.

“You either use NIST or ISO,” Mike explained. “In a previous role, we built our security policy around NIST, and we were able to show our new customers that we were taking security seriously and building our program around a proven framework.”

As Andy Louca is based in the United Kingdom, GDPR was a big area of focus for him at Thomson Reuters. Novanta also worked recently to prepare for GDPR before it became effective in May 2018, and Steve added that they’ve also looked into the GDPR’s Canadian equivalent, The Personal Information Protection and Electronic Documents Act (PIPEDA). For the latter, November 1, 2018, marks the date for major changes to the law around mandatory breach notification and record-keeping.

What are Best Practices for Managing Security in an Environment Where We’re Required to Grant API Access to All Users?

API access can represent a vulnerability to organizations, but a balance must be struck between allowing access for mission-critical purposes and restricting access for stronger security.

“The power of the Salesforce platform in particular is that you can have external apps access your data and enrich the app’s functionality,” said Mike. “A lot of those apps need access to the API, but you want to make sure that access is set up correctly.”

In addition, said both Mike and Andy, reviewing Salesforce event logs is essential to understanding when unauthorized applications might be installed or allowed to access information. Andy also added that whitelisting approved API IPs will help make it easier to lock down your Salesforce instance by IP range and wipe specific unapproved applications from connecting to your org.

How Do you Drive Usage and Adoption of Cloud Applications Like Salesforce?

The first key to encouraging the usage and adoption of cloud applications like Salesforce throughout the organization is to communicate the benefits of consistent usage.

“If a sales leader is managing his or her weekly or monthly forecast calls right off a dashboard, they can feel confident that what they’re looking at is accurate because they make their people use the system,” Steve said. “For sales, the ROI is, ‘I know what I’m going to be selling’.”

Usage and adoption can also be encouraged by better performance. Slow or failed page load times may discourage users from adopting Salesforce, or lead to them creating inefficient workarounds. But by monitoring the performance of your instance, you can make incremental improvements and plan a more intelligent development spend.

“We’ve always kind of suspected a good Salesforce user is actually far more productive, but we’ve never been able to prove it,” he said. “Event logs gave us the opportunity to do that. And we can see if the development efforts we’re spending dollars on are actually returning what we expect them to – and hopefully make future development work better as a result of that.”

Gamification techniques like leaderboards can also help encourage the workforce to use mission-critical apps, along with cultivating internal champions who can share their success and best practices organization-wide.

How Can You Get Executive Buy-In for the Purchase of Security and Monitoring Tools for Salesforce and Other Cloud Applications?

For Joe at Midland IRA, he likes to use stories and statistics to illustrate to senior and executive leadership the importance of adding a particular solution to the stack.

“Every single day, it seems there’s another story about data theft, breaches, another ransomware attack,” he said. “When I have that budget and buying discussion, I can bring up those stories about how many companies are getting hit and how much it costs companies in terms of dollars and reputation. Basically, any new services we’re pitching help us not be another story in the news.”

Steve adds that taking a more “sales-centric” approach can help decision-makers internalize the problem and better understand the solution. For instance, he might as if they believe there’s a remote chance somebody could leave the company with a ton of valuable data. Once they admit it’s possible, he asks them what type of impact that theft might have. He makes them say the number – whether it’s a quarter of a million dollars in profit or the closure of the business – so it feels more real.

In the end, cloud applications create a great opportunity for businesses to streamline workflow, provide excellent customer service, and drive bottom-line growth. They also create an opportunity to monitor users to provide insights that can lead to further improvements. Whether you’re concerned about data security, compliance, or ROI on cloud applications, training and monitoring emerged as the top priorities of cloud leaders today. Looking ahead at 2019, think about the visibility you have in your cloud applications. Does that lack of visibility keep you from fully adopting it? Does it create security issues? Does it require additional attention on compliance? Use your assessment to develop a plan for better managing cloud applications moving forward – and to stay on the cutting edge within your industry or market.