M&E Journal: How Secure is Your Cloud Solution?
By Lulu Zezza, Co-Founder, One-Simple –
Only a few years ago we considered the cloud “unsafe.” Today we consider cloud solutions safer than our on-premise networks. This is largely true and cloud solutions are marketing their greater security as a key selling point. They willingly submit to audits of their security measures to enforce their marketing assertions.
There are numerous security standards by which cloud services are measured. The National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Cloud Security Alliance (CSA) all provide useful guidelines.
Thanks to the Motion Picture Association (MPA) and Content Delivery & Security Association’s (CDSA) joint venture, the Trusted Partner Network (TPN), the film and television industries will soon have industry- specific criteria by which we may assess the security of the cloud services producers and their vendors are relying on.
ut, the controls by which we review the security of our cloud services do not include the configuration settings made available to customers, nor recommend “best configurations.”
The myriad cloud services and their varied approaches to security make creating general best practices almost impossible.
Many customers incorrectly assume that because a cloud service vendor has met security standards, the customer will be secure in using the application as delivered.
In fact, the customer is responsible for assessing the service’s security options for their appropriateness for the business’s security policies, configuring the service’s settings to meet their business’s security requirements, and most importantly for their end-users properly using the service.
Quick, admin-free use of cloud tools
Out-of-the-box cloud services are preset to maximize convenience at the expense of security. For security, they rely on several assumptions:
–All customer employees are trustworthy and adhere to policy.
–All customer employees are capable of defining the sensitivity or confidentiality of their work product.
–All data files are owned by their initial creator or the individual who uploads the file to a service.
By default, document sharing solutions allow the “author/owner” of a data file to share the file with anyone. Contractually, an employee’s work product is the property of the employer and the “author/owner” of any work-for-hire is the employer. In the world of data management, however, the “author/owner” is the initial individual user to create or upload a data file.
So, when your payroll clerk creates a spreadsheet to track all the cast deal terms, or, your storyboard artist completes the storyboards for your film’s climax, they have ownership of that data file to classify and to share it as they please.
Free and consumer-grade licenses provide minimal security configurations, if any. Businesses must opt for the more expensive business or enterprise-grade licenses to implement security policies for role-based access and rules of least privilege.
Understand your security options
Finding the proper service and license is the first hurdle. Understanding the security options and implementing them properly are the next major challenge. The two biggest players in business collaboration have hundreds of security options. Microsoft Office 365 provides a security and compliance manual that is 2,258 pages long and Google G-Suite Enterprise does not offer a manual, instead directing you to Google each topic.
As you research cloud solutions, don’t stop at the marketing pitch. Dig deeper, ask for a configuration demonstration and make sure you will be able to control and efficiently manage:
–Who may access the solution and their categorization by group or role.
–What controls you may implement to enforce a policy of least privilege and grant users appropriate permissions to control other users, and to read, add, edit, delete, share, annotate, and classify your data.
–When users may access the solution: from the start of their employment or project, during specific working hours, and promptly stop their access at the end of their engagement or business need.
–Where may users access the service from: only the office, only within a certain geographic location, only from recognized devices.
–How users access the solution: limit access to your office network, or from smartphones or tablets, via mobile data or public WiFi; through a single-sign-on access broker; and/or verified via multi-factor authentication.
Many productivity and collaboration solutions lack most of these controls and if asked will recommend you implement separate security solutions such as identity managers (IDaaS), cloud access service brokers (CASBs), encryption solutions, etc. These require similar complex configurations and additionally must be tested for their interoperability.
Each will boast they “solve” your security but in fact secure a particular vulnerability and must be carefully combined with others to create a complete security perimeter.
Yes, cloud service providers have the means to implement secure networks and application deployments. They enable customers to store infinite amounts of files and data. They enable us to spin up and spin down without major capital investment. But while these solutions simplify some aspects of information management, they add complex administration responsibilities.
One-Simple guides and assists producers to properly select and configure the cloud solutions they are relying on.