How does Kyos protect its data in a hybrid cloud environment?
Like most of our clients, we are increasingly using cloud services, which brings benefits as well as risks, especially in terms of data protection.
Even though the migration to a hybrid cloud architecture is slow, it is happening faster than you might think. For example, our suppliers and partners are pushing us to use more and more cloud services. For example, we need to register opportunities related to identified client needs in partner portals under Sales Force, or activate certain licenses on cloud license management services, or create tickets for our clients on online ticket management platforms. In addition, with the automation of ordering, delivery and billing of cloud services, we will soon be forced to interface our systems with more and more external services if we want to remain responsive and competitive.
For example, some of our client data may be stored on cloud platforms. As a company specialising in IT security and data protection, this poses certain challenges, particularly in order to guarantee our clients optimal protection of their data.
For each cloud service we use, we assess the risks and put in place measures to mitigate them as much as possible. It is by principle of transparency that we communicate on this reality and share with you our main practices but also because we know that you are facing the same challenges and that these measures can inspire you to better address them:
Automatic document classification and encryption
A good practice to protect the data included in documents is to encrypt them. Of course we systematically encrypt the disks containing this data, but since documents sometimes need to be transferred, we have opted to use Azure Information Protection to protect them. The encryption is carried out in a transparent way for the user according to the classification of the document. This makes it easy to protect the documents and to allow reading or writing only to selected people, even if the document is outside of our infrastructure.
Being convinced that the individual responsibility of employees is key, we have chosen to make all our employees aware and responsible so that they can decide for themselves whether to change the classification from “Confidential” to “Public” or, on the contrary, whether to restrict it to specific individuals only, even if they are external to the company.
Thus, by default, all documents that end up in the cloud, whether intentionally or not, are protected by encryption.
Systematic use of strong authentication
As with our internal applications, we require us to authenticate to the cloud service using Single-Sign-On (SSO) and Multi-Factor Strong Authentication (MFA) mechanisms. Whenever the cloud provider allows it, we use our own external identity provider (IDP), hosted in our infrastructure.
This allows us to keep control of our identities and not to synchronize our credentials (passwords) with cloud services. This strongly limits the risk that our cloud sessions are compromised or that our accesses are used by a malicious third party.
Moreover, between our information system, those of our clients and the cloud platforms, we have to manage thousands of passwords. We store them on an on-premise password management platform that is centralized and secure.
In addition, we train our employees in the use of complex passwords, different for each service and randomly generated thanks to the password generator integrated into our platform.
These best practices also apply to cloud platforms.
Limitation of exposed data and simplification of the architecture
The best way to avoid leakage of sensitive data to the cloud is to avoid putting sensitive data in the cloud. This includes making employees aware of the nature of sensitive data and empowering them to limit the amount and type of data that is entered into cloud platforms.
For example, our ERP tool ConnectWise is only installed on-premise in our infrastructure. However, the ConnectWise Sell offer creation module having stopped its on-premise version, we were forced to migrate to the cloud platform. We then estimated the risks associated with the types of data we include in our offers and made our sales teams aware of the need to include only non-confidential information in our quotes. For detailed quotes, they use an on-demand Word or Excel template.
Moreover, we are convinced that the principle of simplicity remains an effective way to maintain a good level of security. We therefore advocate the implementation of a simple architecture with a centralization of data, identities, access controls, etc.. Indeed, the simpler the architecture, the less risk of error.
Anonymisation / Tokenisation of data
For the moment, we have not needed to implement anonymization / tokenization of data contained in cloud applications because the data is not sensitive. But this solution is still a good option to be able to use a cloud service while avoiding that the data goes out of the perimeter controlled by the company.
Our expert teams in this field as well as Thales Vormetric’s tools will enable us to deal with this type of problem the day we need it.
Compliance with ISO 27002 and CIS
In order to limit the risks, we regularly carry out security controls of our infrastructures and our organization with regard to the standards ISO 27002 and Critical Security Controls (CIS).
Similarly, we require partners with whom we share sensitive data to adhere to the same standards. We therefore ask them to show us the means that have been put in place and, if necessary, sign contracts committing their responsibility.
In addition, we take into consideration the security rating of their entity as indicated by SecurityScoreCard in order to assess the risk associated with the use of their platform.
Awareness and internal phishing
The risk of data theft or identity theft can be limited with technical means of filtering and control. But the best way is still to make employees aware of these risks by giving them the means to recognize unusual or strange behavior used in phishing attacks, for example.
We therefore regularly and systematically train all our employees with the same awareness courses that we offer to our clients. In addition, we use the KnowBe4 e-learning platform and regularly carry out internal phishing tests.
So even if a phishing attack concerns one of the cloud platforms we use, we greatly reduce the risk of successful intrusion.
Security in constant change
Even for a service company specializing in infrastructure, there are advantages to being able to consume services without having to operate them. These often provide us with a great deal of flexibility or access to features that would be too costly to deploy in our infrastructure, allowing us to offer our clients more efficient and higher quality services.
However, with the generalization of the cloud and automation, our business will certainly evolve a lot in the coming years. That’s why we need to anticipate these changes by facing these new challenges now. In order to maintain an optimal level of security in a constantly evolving cloud architecture, we must therefore regularly adapt the measures that are put in place. New threats are identified every day and new security tools are developed to guard against them. It’s up to us to adapt, and that’s what keeps our business exciting.
No measure is 100% perfect, we strive to find the best possible balance to protect your data without adding “heavily” to the associated management costs and above all the responsiveness you demand from our services. If you have any questions or concerns, do not hesitate to contact your sales representative.