As I fly back to Boston from RSA 2014, I can’t help but reflect back on how the Information Security industry has changed over the last few years. Conventional wisdom of this year’s conference is that migration to the cloud is inevitable. Four years ago, companies were bragging they “could never trust the cloud.” Now they sound just as ridiculous as the companies 15 years ago saying “Linux is a toy, we will never use it in production.”
In 2010 when I asked vendors about AWS support, I would get a deer in headlights reaction, or even worse the completely clueless “you can buy our hardware appliance, co-locate it somewhere and interact with AWS.” Today the response is much better, “oh sure! You can find our AMI on the Amazon marketplace and be up and running in no time.” The world has certainly changed.
One thing that particularly stood out to me at RSA was the industry’s struggle with the number of frameworks and legislation vendors are being asked to comply with. There’s ISO27000’s, SOC2/WebTrust, PCI, FedRamp, HIPAA/HITECH, the list go on and on. In an effort to simplify the matter, the Cloud Security Alliance has the CSAStar program which is a certification against the Cloud Controls Matrix (CCM). While it’s comprehensive, it is only in the early stages of industry-wide adoption. As the cloud is maturing, it’s bringing conservative security leaders along with it and overall the security mindset is shifting to we trust the cloud; we just don’t trust all cloud vendors. This has given rise to requiring SOC 2 audits and asking cloud providers to fill out enormous vendor security assessment forms. To reduce risk, it’s imperative that companies understand every detail of their cloud vendor’s security.
At Backupify we’re continuing to make improvements to the security of our cloud-to-cloud backup product, ensuring we comply with the necessary regulations. We operate under the philosophy that security is a process that must drive continuous change in order to appropriately respond to emerging threats. We’re an “open book” in the sense that we’ve adopted the Web Trust standard, have been audited receiving a favorable SOC 2 Type II report, subjected ourselves to external penetration tests by industry leading firms, have been and are willing to be pentested by customers, are willing to complete vendor security assessment documentation no matter what size the customer. Of course, we’re also happy to jump on the phone any time to discuss our security practices, architecture, or our implementation of AES 256/RSA 2048 bit encryption.
Despite the dizzying amount of regulations, the RSA conference was energizing. At Backupify, we have an aggressive 2014 security roadmap that involves almost everyone is our company. The security of our customers’ data is our top priority and and this should be the philosophy for other cloud vendors. As you evaluate cloud vendors to partner with, make sure you feel comfortable when it comes to the security of your data. Ask about regulations and audits…at the end of the day, it’s your data and you should be able to trust your cloud vendor. For more guidance on securing your data, check out our Google Apps Security eBook below.