Risk and Threat Management – Presented by Greg George

Afraid of the Cloud..? You just need to ask the right questions…

Posted in Awareness by gtiadvisors on February 11, 2010

I’ve been receiving more and more inquiries from my social media circles and from clients regarding various security risks associated with using Software as a Service (SaaS): the Cloud, so I thought I’d share a few thoughts on the current status of things.

There has been a remarkable increase in self proclaimed social media everything experts on Twitter.  Many of these people have also added ‘tech’ expert to their bio and are pumping companies and professional services firms to use the “Cloud.”

The problem: most I’ve seen appear to have little or no training or experience whatsoever in computer sciences, network systems or security, yet they have somehow magically become experts within months – and have been offering “opinions” on SaaS in posts and articles they’ve written.  What’s worse, others have been ‘blindly’ listening to, RTing, and endorsing their recommendations, absent of qualifying parameters or guidance that should also be provided.

Joining the Cloud revolution may not be a bad idea for your firm, if you properly qualify your vendor, and have reasonable confidence in who controls your data.  There are many benefits as discussed in the ABA article referenced below.

As with anything IT – the movement and changes within this environment continue to unfold swiftly, along with many vendors jumping on the band wagon claiming to be the end-all solution to your data storage and cost issues: But, at what risk…?

Primary considerations when evaluating a vendor:

  • How long have they been doing this?
  • What methods of encryption are used?
  • What is the origin(s) of the software they use, and what do they use to protect your data? More specifically, where was the software developed, under what supervision, how many different parties have the codes and where are they located? See: High Tech Firms Who Outsource Software Development
  • How and where is your data routed?
  • Where is your data stored?
  • Disaster planning, can your data be recovered?
  • Does your vendor prospect use other vendors, multiple data storage centers?  Who are they, and where are they located?
  • What vetting process do they use for employees, suppliers and resellers?
  • If your vendor goes out of business, what happens to your stuff?
  • Speak to colleagues using SaaS vendors, discuss the drill they used to select one

Two sticky questions, remember – this is your data, work products, confidential client matters, trade secrets, privileged communications, R&D information, financials etc etc:

What if your vendor is acquired, are there assurances in your service agreement allowing you to opt out if you choose to –  if so, will all your data be deleted?

What if your vendor is acquired by a company based in a foreign country?

Maybe the acquiring company ceo, also a peoples republic of china communist party official, will assure you your data has been deleted.

I fully understand the cost savings issue for large company operations and there are ways to manage Cloud risk accordingly, however most people providing professional services operate smaller firms.  Here, we have three dedicated servers located in a fire and blast proof safe room; two are not given access to the Internet nor are the computers used to access these servers except for data backup purposes.  They are used for storage of completed research, reports and records.  At various intervals, data is backed-up to servers off-site using strong encryption.  Simple, cost effective data management.

Not unlike a law firm, we manage sensitive and confidential client issues in our work.  When I am traveling and need to access certain files or initiate new cases and create documents, my firm has set up a Private Cloud (explained in The Posse List article below).

We chose a well vetted and trusted vendor with a strong history of serving professional services firms and institutions using proven encryptions – and we control everything except the physical storage.  The physical storage is in the United States, and all data routing is contained within the United States (am I saying this loud and clear enough?).

Contractually there are only two vendor administrators that can access the data for maintenance, upgrades or any troubleshooting. A note here, request background investigations on those having access to your data, completed by an independent firm, include this stipulation in your services contract – you need to know who has access to the most intimate details of your business operations and clients.

I have selected a few articles for further reading – very good content for your consideration and review, also expanding on data management issues, risks and threats I’ve addressed in this brief article:

All in all – right now, using SaaS simply comes down to a judgment call, what is in the best interest of your firms operations: ease of access, workflow and cost benefits vs. associated risks.

_________________________________________________

Greg George is Managing Partner of GTI Advisors; Threat Management Practice Group.  A senior advisor to executives, business owners, private equity investors, M&A teams and transaction lawyers, Greg provides guidance on matters of enhanced due diligence research, threat analysis, security issues, actionable intelligence, fraud avoidance, and corporate espionage realities.  For further information please visit http://gti-advisors.com or contact Greg directly: greg@gti-advisors.com