Clearing the air on cloud security proof points
How secure is information stored on the cloud? This is a key concern for many organisations working with Software as a Service (SaaS) providers. They need the peace of mind that their data will remain safe and sound – and private.
Maybe you’re handling patient information, like a scan of teeth or a treatment plan. You wouldn’t want that data to become public. Your R&D department may be working on a prototype of a high-performing heat exchanger. If your competitors get hold of those files, you’d lose the advantage.
There are many reasons why data security questions may be keeping you up at night. But when it comes to where data is stored, the cloud can be the safest option – provided the right measures are in place.
How do you know data on the cloud is not vulnerable to cyber-attacks, data breaches or losses?
There are a number of ways to demonstrate that an organisation took sufficient steps. These can be certifications or standards, like SOC 2 and ISO 27001, or authentication schemes like single sign-on.
In this blog, we get into the weeds of cloud security and its proof points.
Companies big and small are adopting cloud-based software. The benefits they're getting vary depending on the industry or the size of the company.
Small dental labs, for example, often have an IT team of one or two. They are usually generalists for whom data security is too specific a problem. Investing in additional training on data security management would be too time-consuming.
If they move their data to the cloud, security becomes the service provider’s responsibility. A SaaS company is in charge of configuring the system correctly, and they rely on Google, Amazon and a number of other major cloud providers to ensure files are automatically backed up and stored in multiple data centres.
Capacity management is another advantage of the cloud. If you store data locally, you have to think about disk capacity. You could start small and have a one-terabyte storage system, but then you have to monitor how quickly that storage grows and make sure you add the second system if the first one is at capacity.
A cloud-based service, on the other hand, allows you to increase or decrease IT resources as you need to meet changing demands.
Additionally, the cloud offers huge cost savings. Most enterprises couldn’t get storage for the same price as Google and Amazon can. In addition, these providers can move files which are less frequently used to a cheaper – but a little bit slower – storage tier to save on costs.
Cloud-based software allows users to access data from different departments and production units
Some companies may hesitate to move to cloud-based software believing that local storage is more secure. Control is one of the key advantages they see: with local storage they know who's on the network, where the data is stored, and who has access.
But generally speaking, the tide has turned in favour of the cloud. The biggest enterprises in the world are seeing that the US government allows security agencies to store data in the cloud, and they’re reassured.
They understand that full control, access and audit capabilities are possible on the cloud. Add to that the cost savings and better capacity management, it’s no wonder so many have embraced it.
Certifications are one of the many ways to prove that the right security measures are in place, and their main advantage is standardization.
The two best-known security certifications are SOC 2, which originated in the US, and ISO 27001, which is popular in Europe. Both of these certifications are very broad and apply to any industry. They simply require that a baseline of security measures is applied.
Other security certifications are relevant to specific industries. For example, a manufacturer working for the medical industry may aim to obtain ISO 13485, a certification that speaks to an organization’s ability to provide medical devices.
When it comes to cloud security certifications, SOC 2 is among the most credible. An acronym for System and Organization Controls, it denotes an auditing procedure that ensures service providers securely manage information. Based on the findings, auditors can issue a certificate.
Auditors assess the extent to which a vendor complies with one or more of the five trust principles – security, availability, processing integrity, confidentiality and privacy – based on the systems and processes in place.
They examine everything from how new hires got access to data, to how access was removed for employees who have left. They look at the backup procedure, disaster recovery plans and how quickly data can be back online.
After extensive investigation, the auditors write a report that can be shared with customers to prove the level of data security. The report lists in detail what the auditors checked, how they checked it, and the issues they identified.
In Europe, many companies are focused on obtaining ISO 27001. It is largely equivalent to SOC 2, the preferred certification in the US. The main difference is that SOC 2 looks at the stability of the management of the company, while ISO 27001 is just focused on IT security.
In addition to certifications, companies have other ways of demonstrating a high level of information security management.
Encryption is one. The best approach is to encrypt both data in transit when it moves from your computer to the cloud, and the data that is stored. In addition, files should always be encrypted first and stored second, not the other way around.
We can also consider single sign-on (SSO) to be a proof point because it permits a company to limit and manage access to a system. From a user’s perspective, SSO enables you to log in to multiple applications with one password. At the same time, it allows an organisation to define which employees connect to our system and what are the conditions for access.
The Manufacturing OS is the infrastructure underpinning our solutions for dental production, robotic welding and industrial additive manufacturing. It’s located on the cloud and can be accessed from a browser.
This comes with numerous benefits. Users can view data across distributed production environments. They get stringent and configurable security controls and the ability to quickly scale across different sites and departments. And security access can be personalised based on roles in a company.
Best of all, it means customers can focus entirely on their work, while Oqton handles information security for them. As proof that we implement all the best data security measures, the Manufacturing OS has a SOC 2 certificate, which is renewed every year.