There’s no denying that solutions that optimise data capture business success today. Platforms as a service that handle many aspects of an enterprise’s customer-facing data have revolutionised the way large companies interact with their customers, driving increased personalisation, better service, and higher value interactions.
This flexibility of PaaS solutions such as Salesforce has enabled an amazing 360-degree customer experience and tremendous growth in value. It has also enabled citizen developers to take governance into their own hands, often without the appropriate understanding or controls required to minimise the threat of bad actors, internal or external to the enterprise.
Most PaaS solutions are outfitted with a proactive security framework to enable success, but many CISOs, CIOs, and IT leaders lack the full understanding of the shared responsibility required to ensure ongoing compliance.
There are some common scenarios we’ve all heard of, such as the pharmaceutical rep who brings his book of business with him to a competitor. And then there are more surprising scenarios, like the healthcare organisations that unknowingly expose protected health information to all their customer service reps, or the wealth management companies whose summer interns have access to all the Social Security numbers of their high net-worth customers.
These are vulnerabilities created, more often unintentionally, by admins and developers trying to support the business the best they know how. They are also preventable with the right governance framework and internal controls to limit access.
The robust security capabilities offered by the PaaS often get purchased and “turned on” but don’t actually do anything to provide insights into risks or prevent the actions of bad actors. As with many security capabilities, enterprises unfortunately buy and “turn on” these premium features without an understanding of what their responsibility actually is nor how to create the appropriate governance model based on the real threats.
Why PaaS can be a vulnerability
Platforms as a service offer tremendous security capabilities but can be implemented in an insecure way when data governance is an afterthought. The tremendous flexibility to support the line of business tends to be the driver, with governance and compliance relegated to a last-minute scramble.
Vulnerabilities happen when the wrong people — or maybe worse, everyone within an organisation — receives unfettered access to the data housed within a platform. Granting systemwide administrative access to anyone on the payroll is a recipe for disaster. Why do part-time interns need access to sensitive information like Social Security numbers, loan origination data, and credit card specifics? You guessed it: They don’t. In cases such as these, ignorance is not bliss. It’s dangerous.
The first step in correcting this common mistake is learning exactly what data lives in your enterprise’s PaaS. You need a clear, objective data-governance plan, so everything from compliance needs to shareholder obligations need to be accounted for.
Some questions that can guide your data audit include:
- What information actually sits in your instance?
- Where is information being stored?
- Who has access to the information?
- Are you meeting compliance requirements?
- How do we value the data?
How to achieve proper security
It may sound odd, but thinking like a hacker can help shore up your platform’s security. Find the holes and cracks, and work to spackle them shut. Once that’s accomplished, resolve to continuously assess risks and perform mitigation. Staying up-to-date on your security posture requires constant effort, and eating the elephant is easier one bite at a time. Start with figuring out your why and informing an aligned road map forward.
To shore up your platform’s security and protect your data — the lifeblood of your enterprise, implement a few basic steps:
1. Figure out who cares: Determine who in the organisation has expertise, knowledge, and accountability to your PaaS data. If you can’t find owners who care, you should assume your problem is larger than you realise.
2. Start somewhere: Data inventory and classification can be scary, but if you don’t know the data you have, it’s difficult to determine how you feel about it. Start with a simple exercise to learn what is collected and stored in your system. From there, you have context for how you value this data and what are the appropriate controls to put in place.
3. Ask who sees what: Start with some hypothetical scenarios and see what answers come back. Do the right people have access to the right information? Have you applied a privileged access management approach to the data?
Once you’ve started with these basics, you have the knowledge to create an actionable strategy to get where you want to go. Remember, proper security is not a checklist; it’s an evolving journey without a final destination. Your governance journey evolves as your PaaS evolves, one agile sprint at a time.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.