This is a guest post written by Ryan La Roche, Principal Security Architect at Zimbani.
The benefits of cloud are well understood; the ability to rapidly onboard business applications (such as a workplace management system), a reduction to capital expenditure, the economies of scale and a host of other reasons.
This has resulted in many organisations adopting a “cloud first” policy, that is looking for cloud solutions before consideration of more traditional on-premise technology solutions. But on the other side of the coin, cloud can open a proverbial can of worms around technology, data security and privacy risk.
Over long periods of time, organisations have made significant investments in security people, process and technology. Many of these capabilities become redundant and ineffective by moving towards the cloud. Because of this, customers have become reliant on the cloud providers themselves to invest in and operate security on their behalf. Because of this, selecting the right vendor for a workplace management system to protect your information and your organisation’s brand is paramount.
Below are 5 key questions you should be asking your cloud-based workplace management system vendor to provide yourself some assurance that you and your staff’s information is secure.
1. Where does your information reside?
The physical location of the information in a cloud workplace management system is often disregarded or forgotten. To many people, the cloud is an ethereal concept. But at the end of the day, your information is sitting in a computer data centre somewhere in the world. This can have several implications:
- Privacy law. The information you put into a workplace management system is considered PII (personally identifiable information) and that means is it protected by law in many countries. Some countries (like Australia) will provide principles and guidelines ensuring you simply take due care. While other jurisdictions, such as the EU, are very explicit about where PII is allowed to reside. Find out what your legislative obligations are regarding data security and privacy and ensure that your provider is able to accommodate them.
- Data sovereignty. Every jurisdiction has different laws in place regarding what government and law enforcement can request from a cloud provider. In some countries a government agency could subpoena your workplace management system information for a court case or investigation. This also has the possibility of impacting your privacy obligations discussed above.
2. Do you support single sign on and identity integration?
One of the most common issues with cloud services is a lack of integration between your company’s identity and access management systems. These systems allow you to sign on to all applications using the same username and password or even do it transparently. Traditional on premise solutions will be tightly coupled with your HR systems, ensuring your staff’s access is automatically added or removed when they join or leave the organisation. In the cloud this process is often manual and ad hoc, often resulting in staff retaining access long after they leave an organisation.
A mature cloud provider will have mechanisms in place to automate this process to ensure your staff have access to your workplace management system when they need it but will also have access removed when they don’t.
Many #workplace cloud services lack integration between your company’s identity and access management systems.
3. Which security standards and certification do you comply with?
Most organisations will have requirements to comply with one or more information security standards or certifications. You are going to want to ensure your workplace management system provider is also compliant with these. Even if you don’t have these requirements, by showing compliance a cloud provider can demonstrate some level of security competency. Compliance does not provide definitive assurance that the provider is secure but it should give a base level of comfort. Compliance will also generally speed up any third party assurance activity your IT security or risk functions may want to perform.
Look for international standards such as ISO27001/27002 and SOC. If you are a government agency, ask about compliance to your applicable government security standard such as Australia’s ISM.
4. How do I audit user activity on your platform?
Many cloud providers fail to provide a mechanism to allow you to see what activity is taking place within the workplace management system. Who made a change to that floor plan? Who assigned a floor to a particular business unit? Who deleted some critical information? Having the ability to audit user activity is critical to securing a platform. This ensures staff are accountable for their actions and is a key piece of evidence in the event of a security incident.
5. Will you provide me with a pre-production environment?
A pre-production environment is a separate instance of your workplace management system to one that you rely on to do your job day-to-day. What does this have to do with security? A lot! Beyond protecting the confidentiality of your information, security involves protecting information integrity and availability. A secure system is of little value if the information contained within it is corrupt or it is inaccessible. A pre-production gives you a safe place to provide training, experiment and stage changes to your environment without risking your live business information.
Most internal IT policies and many widely used IT service management standards, such as ITIL, will require you to maintain pre-production environments. Being in the cloud is no excuse. By complying with these requirements, you are going to make any internal sign offs or onboarding by your IT teams a smoother process.
Properly vet your workplace management system for security to avoid costly mistakes
These questions are not a definitive list, but by asking them, you will be well on your way to selecting a cloud workplace management system vendor (or any cloud software-as-a-service vendor for that matter) that is protecting the confidentiality, integrity and availability of your information. They will also assist in ensuring you remain compliant to your regulatory and legislative obligations. Also, always remember to engage your IT security and risk functions early. Early engagement means less surprises and generally less cost in the long run.
Watch this video to learn more about the cloud data security measures you should expect from a workplace management software vendor: VIDEO: Workplace Management Cloud Data Security.
Data security and integration with your internal systems is a key issue that you must take into account and weigh heavily in your comparison and evaluation of a workplace management system.