Thus far, we’ve spent a lot of time examining the core principles of the GDPR and other pieces of data regulation, and we’ve worked through some of the implications these documents carry for the UX and back-end functionality of consumer-facing applications. But there are, of course, many other components to your business’s robust, secure data operation. In this article, we’re going to look at core principles of making sure your hardware, software, and web applications are spec’d to better withstand attack. It’s no secret that threats to digital security are on the rise, and the consequences of a data breach can be – hello Equifax – a PR nightmare of epic proportions. Start with the steps below to get smart about your company’s infrastructure…
Encrypt On-Premise Storage Devices – Many businesses continue to use SSD’s and HDD’s as a backup storage solution. Data on these devices should be encrypted, and password-protected, in doing so you greatly reduce the risk that it will be accessed by bad actors in the event that storage device is taken.
Assess Network Security – The infrastructure that hosts company communications is vital to your ability to do business, but to malicious outsiders, each device is a potential security breach point. Your wireless router. Your company phones. Your web servers. It’s easy to overlook these when you’re just starting your company but we strongly recommend that even small startups get serious about protecting their data by conducting a network security assessment to identify potential risks to their systems and work with the partner to mitigate them. This may seem like overkill, but remember what you do now, saves you in the future, particularly where you’re a success and grow rapidly – you become a greater target and risk increases so getting your house in order early will safeguard you in the future.
Employ Due Diligence with Hosting Platforms, Third-Party Libraries, and Code – Online resources are a great way to develop solutions quickly. For this reason SaaS platforms have grown increasingly popular, and of course, third-party libraries have long been an essential tool for letting development teams work efficiently. It should never be assumed that any one of these resources is impervious to attack. At the very minimum, your team must perform due diligence work on any modular solution it uses as part of its solution. Are there reported vulnerabilities? What are the ways to mitigate them?
At a minimum cloud service providers should be complying with criteria such as;
- SOC 2 (SSAE16/ISAE 3402) – a report based on AICPA’s existing Trust Services principles and criteria that evaluates an organizations InfoSec, availability, processing and confidentiality capabilities.
- ISO 27001 – This is one of the most widely recognized, internationally accepted independent security standards A framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
- ISO 27018 – An international standard of practice for protection of personally identifiable information (PII) in public cloud services.
- PCI-DSS – If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant provider.
- Privacy Shield – Privacy Shield Frameworks are designed to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.
- FedRAMP – The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
In some cases, it can be a good business decision to forsake the security features included with a given hosting platform to build your own. If your company is handling financial data we recommend building your code from scratch and using a five-level encryption process to ensure data cannot be read even if stolen during transfer.
SSL Your Site – On the point of data transfer, it is increasingly a non-negotiable for business conducting any sort of online commerce to invest in an SSL certificate. An SSL Cert, in the words of the makers themselves, “is used to keep sensitive information sent across the internet encrypted so that only the intended recipient can access it.” If you’re in development, you understand the many waypoints a piece of data travels through in its transmission; encryption is vital. Furthermore, SSL Certs provide authentication that lets users know they “are sending information to the correct server and not an imposter”. Do they know the technical implications of what this means? Unlikely. But do they get nervous when their browser bar flashes red and warns them that the site may not be trustworthy. The bounce rate from this alone is enough to justify SSL investment for almost any business.