Compliance and Cloud Security28 Jun, 2013 By: HK Bain
The use of cloud services is exploding among enterprises. In fact, IDC estimates the cloud sector is growing at a pace five times that of the overall IT market. As a Value-added Reseller (VAR), how will you help your customers navigate the sometimes murky waters of choosing the most secure cloud option?
The amount of data in today’s digital universe is five times the size it was in 2008. However, while digital content is growing, IT budgets for managing storage and infrastructure are down. Businesses are desperate to move away from the cost and complexity of managing their own data storage by pushing these functions into the cloud, and they’re looking for VARs who can help.
As you help your customers evaluate cloud options, security is a chief concern. Cloud security boils down to two simple concepts: 1) match the product’s feature set to your customer’s specific compliance concerns, and 2) help your customer ask the cloud vendor tough questions about their security protections, processes and protocols to ensure they will follow-through on promises.
Find the Right Feature Set
As you know, different regulations require different features to protect sensitive or private information. To really leverage your ability to help your customers comply with regulations like HIPAA, meaningful use, the Federal Rules of Civil Procedure (FRCP), or Sarbanes-Oxley, you need to understand the core tenets of each regulation and be able to match those requirements to specific product features. Though each regulation requires something unique, many share similar concerns. Your task will be to choose the right cloud offering to meet common needs and which can be customized to meet more complex concerns.
Common features you should demand:
• Individual security protections and access rights that can be based on user or group
• The ability to protect specific documents and document types
• Documented system auditing that allows you to track who accessed information, what they did with it, and why
• The ability to lock down printing and distribution rights to authorized users
• Data encryption both during transmission and when information is stored
 IDC. “Two studies shed light on cloud computing boom” as cited in Processor Oct 5, 2012, p. 16 -  Gantz, J. and Reinsel, R. “As the Economy Contracts, the Digital Universe Expands.” IDC May
Check your Cloud Provider’s Security Protocols
The growth of the cloud has been a double-edged sword. As vendors rush to convert software offerings to the cloud model, they have given customers many new cloud options. However, some vendors have shortcut critical architecture and design concerns that arise when passing information over a public network (like the internet) and sharing hardware resources between multiple customers. You need to help your customers by asking cloud vendors tough questions about their services. We suggest you start with the following basic considerations:
• How long have you been offering cloud services? (You don’t want to be one of the vendor’s first “experimental” cloud clients!)
• Was the software specifically designed as a cloud solution? (If not, ask what changes were made to the system architecture and why, when it was moved into the cloud.)
• How is my information secured at rest and during transmission? (Encryption should be available for both.)
• How is information accessed? (Make sure the server you interact with does not have direct access to document storage and databases. Avoid systems that allow document access via a URL or website address without first requiring authentication, such as a user login.)
• Is the network where information is stored used for any purpose other than cloud services? (The answer should be “no.”)
• Do you supply your own security infrastructure or is it outsourced? (Your vendor should handle firewalls and system management personally.)
• Is security verified on a regular basis by an independent third party? (Look for a vendor that uses a third party to test network vulnerabilities and verify security.)
• What physical security measures protect the data storage system? (Basic physical measures should include: locked down facility requiring identity verification for entry, network administrators pass rigorous background checks, system administrator access is secured by two-factor authentication devices such as RSA, and regular security process audits, such as SSAE16 certification.)
If you or your customers are not satisfied with the vendor’s responses to any of the above questions, find another vendor.
Want to leverage the cloud boom into new revenues for your business? Become a cloud security expert! Your customers will rely on your knowledge to help them choose the cloud service that best suits their individual security considerations, and they’ll turn to you for additional help with other business issues.
(3) This information is an excerpt from Ten Security and Reliability Questions to Address Before Implementing ECM. Learn more at: http://download.digitechsystems.com/WebResourceKit/Marketing/WhitePaper/TenQuestionsBeforeBuyingECM_2012Updated.pdf
About Digitech Systems, Inc.
Digitech Systems, Inc. enables businesses of any size to more effectively and securely manage, retrieve and store corporate information of any kind using either PaperVision Enterprise content management (ECM) software or the world’s most trusted cloud ECM service, ImageSilo. By significantly reducing the cost, Digitech Systems has moved ECM from a luxury convenience to an essential element for every well-managed business.
Digitech Systems continues to raise the standard of excellence in the ECM sector, as evidenced by the numerous awards they have received including the InfoWorld 100, CRN’s Emerging Tech Dynamos and multiple Nucleus Research ROI Awards. In addition, Buyer’s Lab recognized PaperVision® Capture as the Outstanding Enterprise Capture Product for 2012. To learn more about the company’s software and services that deliver any document, anywhere, anytime, visit http://www.digitechsystems.com
Article by HK Bain, CEO, Digitech Systems, Inc.