Cloud Communications: 6 Questions to Ask on SecurityCloud Communications: 6 Questions to Ask on Security
You and your cloud provider need to work in unison to keep your communications and collaboration apps secure.
June 16, 2020
One of the positives to come from the work-from-home shift is a newfound awareness and appreciation of security among enterprise IT professionals responsible for communications and collaboration.
Zeus Kerravala, principal analyst with ZK Research, put it this way: They now see security as a must-have rather than a nice-to-have. That’s because the blurring line between the home and office and the big increase in the use of cloud services are growing an enterprise’s attack surface, he said.
Your typical office worker or contact center agent most likely has never worked from home. They don’t know the first thing about firing up a VPN client, let alone making sure all the configurations are properly set — and they’ve now essentially opened a backdoor into other enterprise systems from a network they’re sharing with somebody who might be playing Xbox or watching Netflix, Kerravala added. And chances are they use the same username and password across all their cloud-based apps, especially if these accounts have been spun up quickly in the haste to get set up at home — and that’s yet another security weakness.
Kerravala shared his perspective on security for communications and collaboration earlier this week during an Enterprise Connect Virtual Bootcamp webinar on why security needs to be a team sport. Besides this webinar (sponsored by UCaaS provider Fuze), the bootcamp features a variety of other online sessions, as well as a host of digital assets, aimed at helping enterprises devise their collaboration strategies in the next phase of the pandemic response.
Properly buttoning down communications and collaboration apps requires addressing security at all levels, none of which can be considered in isolation, Kerravala noted:
The network, with firewalls, intrusion prevention systems, and VPNs
Across the cloud, ensuring that cloud providers are encrypting traffic and have the appropriate certifications and compliance support
With the end user, via multifactor authentication and strong password protection
At endpoints, with endpoint detection and response systems and antimalware
“Each of these different security tools out there has a specific purpose; they can tell you a little bit of the puzzle. But in order for you to get a complete picture, you have to put all those puzzle pieces together. And so communications security becomes a multifaceted thing that does require teamwork, where all your teams have to work together,” Kerravala said.
Of course, the starting point will be the inhouse security teams and the security operations center. But it’s imperative to make sure your cloud providers are adhering to strict security practices — after all, “you’re only as secure as your weakest link,” he added. Toward that end, Kerravala shared six questions communications and collaboration managers need to ask their cloud providers. They are:
Can you share your SOC 2 compliance audit and testing results? If a provider has regular SOC 2 audits and ongoing testing (for privacy, security, and availability compliance), it’s not going to mind sharing results with you. And if it balks, agree to receiving the results under a nondisclosure agreement.
How transparent are your security policies? You want to be sure to understand how a cloud provider approaches security from a people and process perspective.
What kind of physical security procedures do you have in place? One area to focus in on is data theft protection.
What compliance certifications do you have? You don’t need to know about every single compliance certification a cloud provider has, “but you certainly need to care about the ones relevant to your vertical.”
How are you protecting my data? If your data is stolen, you need to know that it’s encrypted and unreadable.
Where is my data stored and how is it managed? Get the lay of the land in terms of where data is stored, by region, how it’s managed, and where it’s backed up.
To be sure, this list is far from exhaustive, but it’s a good place to start, Kerravala said. The point is, he added, you and your cloud provider “need to work in unison.”
