Over OptiSol’s decade long high-end IT Services projects with clients across the globe, I am often confronted with questions about how we manage data, and in particular data on cloud. Clients are often rightfully paranoid about IP and unauthorized employees having access to their precious data and want my assurance about data integrity at Optisol.
We also work with startups and SMEs and help build their mobile and web applications. During my discussions with their CEOs and CTOs, they are also concerned on how best to answer these questions from their own clients or prospects.
So I sat down last week and put together a cheat-sheet of best practices that we follow at OptiSol and the right way to respond to these searching questions. You can also post it in a FAQ on your site plus add as a link in your marketing and sales documents.
1) What security features are built into the application?
Security is a key aspect of any Web and Mobile Application. Contrary to the common belief, security on the cloud fares far better than security on any On – Premise solution. The reason is because of the security approach enabled by Cloud Computing providers like AWS, Azure and Google Cloud. Experts in the cloud computing service providers take care of the Physical security of the servers, Firewalls and other networking components.
Solution Providers and application developers need not worry about the physical security. As Application Developers, we provide our expertise in the application level security including Access Control Layer Security and protecting application against web vulnerabilities:
* Cross-Site Scripting (XSS)
* Broken Authentication and Session Management.
* Insecure Direct Object References.
* Cross-Site Request Forgery (CSRF)
* Security Misconfiguration.
* Insecure Cryptographic Storage.
2) Who can see my information?
The agreements of all cloud service providers clearly indicate “Data is not shared to anyone”. Access to the data is available only through the restricted access control layer implemented through the application. We also use various encryption techniques to ensure data residing on the cloud and data transferring over the cloud is protected and accessible only by the authorized users.
3) What is your data encryption philosophy? Do you encrypt data?
Yes. We do encrypt data. In today’s connected world, it is imperative to encrypt data not just on the cloud but also the data in your On-premise data center.
4) How much control do I retain over my data?
Clients have complete control on the data. With necessary access credentials, Client users can access data anytime, anywhere in the world. That is the power of Cloud.
5) How is activity in my account monitored and tracked?
The control panel provided by Cloud service providers provide clear view of bandwidth usage and other server activity. At individual application level, audit control is maintained with clear indication of User, date/time capture on creation and modification of data.
6) Who manages the application on the back end and what policies are in place to thwart insider breaches?
The access credentials of production application is usually with the client representative. Whenever there is a need for production access, controls are shared by the client in a secure environment. We use specific tools to ensure production database is accessed from specific machines. Key data pertaining to privacy information are always encrypted. In addition, people accessing production data are subject to contractual obligations.
7) How is my data isolated from that of others?
Each server instance on the cloud can be considered as a security locker in a bank. Although the lockers are stacked in a bank, each locker is separated from others. Likewise, server instances deployed in different regions on cloud are separated for specific instances.
8) What happens if data gets corrupted or you lose some of my data? What is the backup and recovery plan?
We recommend and set-up backup of production application on different regions over the cloud. This ensures fault tolerance as well as backup and recovery.
9) Is data deleted completely when deleted from the application?
We recommend and implement logical delete and archive options at the application level. Data will not be deleted unless we force deletion from the application. Archived data can be moved to different data storage with options to retrieve data from the application.
10) What accreditation’s do you have?
We are Technical Partners with most Cloud service providers. For the past decade, we have been helping enterprises and startups increase their agility in product innovation by exploiting cloud computing. Cloud is more secure than you’re On-premise setup and it comes with agility, on-demand scalability, helping you to focus on your core business innovations. After all, your capex becomes opex.