Protecting data in the 2019 financial year: what cloud service providers and customers need to know

by Patrick Elliott, Vice President for Australia and New Zealand at Anaplan

High profile cyber-hijacks garnered their share of global headlines over the past year. From Equifax’s major breach to Yahoo’s three billion compromised usernames and passwords, hacks and attacks cost companies billions in reputational damage and cold hard cash.

More recently, online recruitment service PageUp made the news in Australia after it self-identified suspicious activity on its network and took steps to investigate and contain the incident. 

It advised corporate customers and individuals that information pertaining to staff members, applicants and referees had been accessed by an unauthorised third party. 

Australia’s national Cyber Security Adviser Alastair MacGibbon noted that in an era of widespread cyber security threats, organisations had to be prepared to prevent, detect and respond to incidents, engage with relevant authorities and provide timely and open communications to those affected.

As the country enters a new financial year, cyber-criminals are likely to keep turning the heat up. Data is an increasingly valuable commodity and as more transactions are done in the cloud, hackers will continue to work overtime to find creative new ways to steal sensitive information.

Almost a third of Australian businesses were using commercial cloud computing services in 2017, according to research by the Australian Bureau of Statistics. 

Cloud service providers have a duty to provide best-of-breed security for customers and company leaders should choose enterprise solutions with care.

Establishing trust

Customers need to know they can trust their Software-as-a-Service solution and cloud providers must meet this demand by using optimum security measures to safeguard customer data. There’s little room for complacency – rather, constant vigilance is required to counteract new exploits, such as the weaponisation of artificial intelligence, attacks on vulnerable Internet of Things endpoints and sophisticated ransomware.

Cloud service providers which take their responsibility to customers seriously are using techniques such as regular third-party security scans, advanced intrusion and exploit detection processes and other standardised security features. 

They’re also thinking beyond these standard practices and employing a ‘defence in depth’ approach to keep data safe. This term refers to the lining up of defensive mechanisms so that if one fails, another is automatically put in place to counter the attack.

To apply ‘defence in depth principles, experts recommend multiple layers of protection for a system that handles customer data. Rather than focusing on protecting a single aspect of system, cloud service providers that deploy a defence in depth strategy secure hardware, software and even processes. And end-to-end approach is ideal to address hacking threats that are coming from every direction.

Customers are looking for trustworthy providers

In a high-threat environment, not only do cloud service providers have an obligation to offer robust security to customers, customers have a duty to evaluate SaaS solutions carefully and make sure the most up-to-date measures are in place to protect sensitive data. So, what should companies look for in SaaS security? And which specific measures are critical to address today’s threats?

On a cloud platform, multiple authentication options are a must, including authorisation protocols like Security Assertion Markup Language (SAML), which is a way for company administrators to control authentication without the cloud service provider having to store user passwords. Access control options are a must as well, so that company administrators can maintain separation of duties.

When evaluating cloud service options, customers should also make sure the provider runs consistent third party penetration tests and shows evidence of compliance with stringent standards, such as International Organisation for Standardisation (ISO) or Service Organisation Controls (SOC) certifications. These certifications indicate that the provider has passed an independent audit.

An emerging security solution, Anaplan Bring Your Own Key (BYOK) may be ideal for organisations that require the highest levels of compliance and security. BYOK gives companies the option to manage their own encryption keys, allowing them to encrypt and decrypt workspaces and maintain sole access to their most sensitive data in the cloud. This solution gives companies the ability to obtain audit logs of encryption activity.

Facing the future with confidence

Today’s heightened threat level imposes responsibilities on both sides of the equation. Cloud service providers must continually evaluate their security posture and ensure it offers rigorous protection to customers. And leaders who are charged with protecting their organisation’s data, assets and customers must take care to choose the solution which best meets their particular security needs.

The hacking threat won’t go away anytime soon – if ever. But with the right approach, cloud service providers can deliver a platform experience that meets customer privacy and security requirements. 

And with knowledge of the latest security trends and innovations, Australian business leaders who are responsible for keeping their companies’ data safe can face the future with confidence