Despite the benefits and the increased use of Software as a Service (SaaS) in government and nonprofits, uncertainty about cloud security still exists. As the COVID-19 crisis forces the world to examine our ability to work from home, human services organizations are looking at creative ways to use the cloud to keep workers and clients connected. Casebook’s Engineering team provides some words of wisdom below on keeping your cloud applications secure.
Nine out of ten businesses that participated in the Oracle and KPMG Cloud Threat Report are currently using SaaS products, but less than one out of ten reported having a full understanding of their cloud security model, down 10% from 2019’s report. Cloud security plans and their executions are a direct reflection of the organizational structure, department boundaries and responsibilities, and ultimately the company’s culture and priorities.
Securing data, arguably the most valuable business asset, has transformed from being the responsibility of on-premise hardware security veterans to cloud architects and DevOps teams. The winning cloud security thinking starts when security is addressed and implemented in the following areas: software development life cycle, automation tools, quality assurance, secure code management, agile processes, and collaboration platforms. The cloud security model has to include everything from Slack, CI/CD (Continuous Integration & Continuous Deployment), cloud root & admin accounts management to customers IAM management.
To ensure the correct emphasis on cloud security, the conversation around security needs and decisions must move from IT rooms to boardrooms. Corporate leadership on the highest level has to get buy-in for cloud security planning and strategy for years to come. As the DevSecOps and Business Information Security Officer roles are finally emerging, we see the first signs of corporate recognition of cloud security importance.
A lot of images and ideas are flashing-by when thinking about cloud security, but a state-of-mind metaphor is perhaps the best way to describe it. Cloud security, like firewalls, VPNs, and other measures, is not an armor, with on and off states that will magically protect you, your data, or your clients’ data from all possible attacks. Driving proper cloud security hygiene requires top-down organizational education and alignment. Uninterrupted attention and focus on the following security tasks is a must, and security work never stops even after all of the following components and areas are watertight.
The broadly adopted security fundamentals:
- Least privilege role-based access
- Multi-Factor Authentication (MFA)
- Password Vault adoption
- Root and Admin account restrictions
- Forced high password strength
- Password expirations
- Detailed data classification and restrictions
- Data encryption in transit and at rest
- On-going data backups
These additional security activities will make your cloud security model ready for the years to come:
- Security risk modeling and planning
- Prepare and model potential vulnerabilities
- Frequent exercise of security breach contingency plans
- Replace IT/DevOps human tasks with tested automated & scripted processes
- Assess the assigned internal and external credentials risks
- Eliminate all directors, senior employees, and C-level executives unnecessarily access as their accounts are practically always the first lines of attack
- Real-time visibility into users and roles access level activities
- Smart data and log auditing with real-time dashboard results showing:
- Who took what action
- What resources were created, updated, read and purges
- What events and triggers accrued
- Maintaining compliances with industry regulations
- Always revisit the first rule of least privilege access
As an organization delivering software as a Service solution on top of a cloud-based platform, Casebook PBC takes the complexity of those requirements to heart. Every action we take in developing and deploying our software to the cloud takes into account these and many other security-related concerns in mind, allowing our customers to rest easy, safe in the knowledge that we have built one of the most secure solutions for human services.
As an organization delivering software as a Service solution on top of a cloud-based platform, Casebook PBC takes the complexity of Cloud Security requirements to heart. Every action we take in developing and deploying our software to the cloud takes into account these and many other security-related concerns in mind, allowing our customers to rest easy, safe in the knowledge that we have built one of the most secure solutions for human services.
If you’d like to know more about Casebook security or some tips on how a paperless process can help data security, you’ll find that today you can’t afford to place your organization and clients at risk by not investing in securing your data.