Axel Buelow, CIO, SAP AG
As I speak to customers around the world about the Cloud, I am especially attuned to their concerns about security. After all, anytime you move data from the safety of your own four walls, it’s only natural to worry about where that data goes – and how it is protected.
I have found that some customer concerns vary by industry and region. For instance, customers in industries that handle sensitive data – such as banking, insurance, pharma, government, and energy – tell me they are particularly concerned about data integrity and confidentiality, while customers in the European Union need to meet local regulatory requirements that govern where data is physically stored.
But virtually all customers want absolute assurance that there is end-to-end tracking of any potential access to their data – as well as any changes to that data.
The SAP Approach
Fortunately, I am able to assure customers that SAP provides a secure and reliable platform that uses state-of-the-art encryption and data isolation technologies. These measures ensure that customer data cannot be accessed or manipulated by outsiders – including SAP itself.
Naturally, other companies offer similar approaches, but you should compare carefully to ensure that you get the right combination of security features for your organization’s requirements.
Four Keys to an Effective Security Strategy
From my perspective, an effective Cloud security strategy should include the following four elements:
- Certifications and attestations: Does your provider have the proper certifications, such as SOC 1-3/ISAE 3402/SSAE16, and ISO 27001?
- Regulatory compliance: Does your provider help you meet the specific regulatory requirements for your organization or industry, such as FDA, HIPPA, PCI/DSS or FISMA?
- Encryption: Encryption is an essential part of any security strategy. Does your provider offer secured or tunneled communication?
- Effective processes: Does your provider meet the operational processes and governance model needed to support your requirements?
It’s not enough to get promises from your Cloud provider; you need proof. Therefore, ask your provider to do the following:
- Provide white papers that detail the technical and operational design of their system
- Clearly define a security incident and escalation path
- Clearly define all responsibilities and services
- Offer real-time security reporting or a dashboard that enables you to check the confidentiality and integrity of your Cloud-based systems and services
- Provide proper certificates and reports that prove proper security management and an effective internal control system to cover key processes
A Bright Future
Despite concerns, millions of Cloud customers around the world enjoy real security and peace of mind – through constant vigilance. And in the years ahead, we will see Cloud-based security technologies continue to grow more sophisticated – even as the potential threats also increase.
In my next post, I will address the critical challenge of staying one step ahead of the bad guys. And, I will offer additional thoughts on the future of the Cloud.
In the meantime, I recommend a new report from Oxford Economics, “Protecting the Cloud.” It’s available for free – click here to download.