Home Insights How To Secure Your Cloud With Gulf companies increasingly moving their business applications to the cloud, Lutz Bartsch, chief technologist at SAP Cloud, explains how best to secure your data.  by Lutz Bartsch November 29, 2014 Privacy policies in the Gulf are strict: Whoever collects personal data must ensure that the data is kept secret. But how can Gulf companies best ensure their data security? The challenge here and elsewhere as well is that companies often lack the capability and the experience to make their data secure. Data theft does occur and we’ve seen high profile examples of this in the press, which can have far- reaching implications. Gulf companies have started to move or are increasingly considering moving to cloud based applications, both internal and external, like candidate application portals, in which data entered by employees or candidates is transferred via the Internet to the internal solution. INTERNAL OR SERVICE PROVIDERS? Data security is the responsibility of the person or company who collects the data. Companies must ensure that data is kept secure during the transfer and processing. However, this accountability is tricky when an organisation has outsourced its applications i.e. putting them ‘in the cloud’. If companies cannot take direct responsibility for their data security, then they must carefully select a service provider which takes this responsibility for them. The provider must be able to clearly commit in a contract and demonstrate what security measures they have implemented and how they ensure the protection of the data. Before they subscribe to the service, customers should also have access to data centres, which can be inspected by their own auditors. Service providers must also ensure that their Internet traffic is continuously monitored for threats and attacks, and customer data is secured using the latest data encryption technology. IT STARTS WITH APP DESIGN A secure web application starts with the application itself. A cloud solution is hard to protect if it is not designed for that purpose. To ensure the security and data segregation, the best cloud applications are architected for the cloud from the beginning as multi-tenant cloud solutions. Industry best practices include the Open Web Application Security Project (OWASP), and ensuring that every data release is passed through a security quality gate. When leveraging third party solutions or Open Source frameworks, a cloud provider’s security consultants should execute a deep dive investigation first, to ensure that there are no backdoors in the application and operations environments. Further best practices include developing code internally, executing independent ecurity validation pre-release and against the live solution on a daily basis so the cloud solutions are secure even against new potential threats, and implementing security architectures that are patent pending. BACKUP DATA CENTRES ARE ESSENTIAL When searching for data centre providers, customers need to ensure that there are backup data centres. Should one fail completely, even with the probability of that happening being extremely small, the other data centre can take over. Even in the event of a power failure of both connected power grids, the best data centres are equipped with batteries and diesel generators, allowing them to run for days completely independently. The best data centre providers should have two data centres in every region in the world, with the data of customers maintained in both. Customers should also look for data centres that have the highest reliability and extended redundancy, Tier 3 or even Tier 4 levels, along with a low risk profiles for environmental impact, transport, and industry risks. MEETING PRIVACY EXPECTATIONS Cloud security cannot be an afterthought for the Gulf’s companies, especially as increasing mobility drives more companies to cloud-based applications. But by leveraging best practices from industry leaders, companies can drive innovation, boost the region’s economy, and meet customer and government demands for strict privacy. 0 Comments