Cloud Data Security: Is Your Company Its Own Worst Enemy?

By Mayukh Gon

People in all walks of life will do things that will turn out to be a detriment to themselves. Once in awhile, it’s helpful to take a step back and look at what’s going on to prevent these things from happening. This is the advice we would give a single person to ensure that he doesn’t make a horrible, horrible mistake. But what do you say to a company with a hundred thousand people in its payroll?

With the hustle and bustle of daily business, one thing is certain: A mistake will happen at some point of the day. Each day, companies have to check their paperwork, digital records, internet accounts, and logs to see whether anything is out of line. But every once in a blue moon, there’s that one little detail everyone missed. It may look little now, but in the grand scheme of things, it’s a ticking time bomb that will bring your company to its knees.

It’s things like these that end up in newspapers and, occasionally, our blog. In our last post, we spoke about Target’s little issue with a vendor that ended up giving away 40 million credit card numbers. These tiny details become ticking time bombs. The longer they remain unnoticed, the more likely it is that something will hit you. When you do get hit, perhaps the worst thing that can happen to you is to have been compromised by something that could have been prevented.

In many instances, you are your own worst enemy when it comes to securing your company. Complex procedures for administrators and software that could use some upgrading exacerbate the issues that can tear a hole in a company’s integrity as a trustworthy provider for its customers. With larger companies, this is much truer, considering the amount of software and data they haul around just to keep track of the data for their employees, let alone their customers.

Being behind a VPN and a firewall makes you feel safer, but companies as large as Target still fall, with or without a VPN. That’s not to say that employing these methods to secure your company will ultimately lead to nothing. What we’re saying is that you need to watch out for a few other things that can get in through your flanks. Here are a few pieces of advice we have:

Learn to de-provision correctly.

Companies use a variety of software applications on and off the cloud to ensure that their day-to-day work gets done. Each employee has their own individual account on each of the applications. But let’s say that you have to de-provision an employee that has left the company. Your administrator has written a document that describes the procedure for de-provisioning an employee from each app. It will remind him to de-provision an employee from Microsoft Exchange, Google Apps, SharePoint, Dropbox, and any other application that employee uses in his daily activities.

Oh! What’s this? The administrator forgot to include a reminder to delete the employee’s Podio account?

Let’s say that you have lost 400 employees in the last year. That means that there are 400 Podio accounts — some of them belonging to ex managers — floating around. If, at some point, one of those accounts is compromised (and this kind of thing happens all the time), then this gives the hacker free reign on your entire CRM system.

Before you de-provision someone on PerfectCloud, you have a list right in front of you of all the applications that this person uses. Provisioning and de-provisioning is more of a breeze and less of a hair-curling nightmare that people tell stories about around a campfire. By using this system, you ensure that you don’t leave behind any zombies. Besides, it’s also a cost-saving opportunity since you don’t have to pay for accounts that are inactive and forgotten.

Quell rebellions before they happen by employing access control.

If there’s one thing you learn from both being an employee and running a business for years, it’s that you don’t necessarily need to fire an employee to anger him. It’s not easy to please every employee in your company. Even if you have the best company in the world that hands out margaritas and cake at the end of the day, you’re still going to have a few people who would like nothing more than to watch your company burn to the ground before they announce their resignation on top of its singed remains.

Rogue employees are very careful not to talk about their plans until they’ve been executed. This makes it very difficult to tell who’s going to make your company blow over. To prevent this, you must prevent the wrong people from having any access to your company’s sensitive information at all. Doing this requires some sort of access control.

With PerfectCloud’s SmartSignin, you get to create tiered groups for your company. Managers can sit in one group while B&M employees can sit in another. Every time you provision someone under a group, all of the apps associated with that group will be provisioned to that employee as well. Groups are a great tool for ensuring that no employee gets access to applications that don’t belong to them. Only the applications they need will be accessed at any time, and you can further tweak this during the provisioning process by logging into the respective application and setting the tiered access control privileges that you feel are necessary in that particular environment.

“In case of fire, break glass.”

No matter what you do, you will always minimize your chances of getting compromised. There are things beyond anyone else’s control, such as a vendor’s database going kaput in the face of a hacker. These things happen, and there’s no way to prevent them from happening save for never using anything except your own company’s network of applications, which renders you completely non-competitive.

For this very reason, it’s wise to prepare yourself for any impending doom by encrypting every bit of data that you store outside your own servers (and perhaps even inside). PerfectCloud’s SmartCryptor will let you encrypt your data anywhere at any time. Its special Smart Key algorithm will ensure that all of the encryption happens on your end, making it impossible for hackers to acquire your key.

This is your last resort; the final layer of security you have before everything blows up. If all the hacker sees is gibberish, then no damage has been done.

Conclusion: The #1 enemy of every company is the company itself.

These are harsh words, but they ring true in the vast majority of scenarios where hacking takes place. If you have a close look at how all of these companies were hacked, much of it had to do with how they managed their data, who they trusted with it, and how their accounts were provisioned. This is why we gave you these pieces of advice. It is apparent that the principles discussed here are perhaps the most crucial when it comes to cloud data security!