The Intersection of Legal and Compliance is Data Security
I have a tremendous amount of empathy for the legal office team who, in recent years, has been asked to get savvy, and quick, on the security features of Cloud applications. Legal office budgets are expanding to take on more Governance, Risk and Compliance (GRC) functions; at the heart of the GRC function is security–protecting against liability, protecting against threat, protecting against chaos. Security roles are deeply specialized, highly technical, and are wrapped in a layer of acronyms that make the domain all but indecipherable to the uninitiated. Add to that the stress of knowing that a single vulnerability might bring down a company, and the prospect of climbing the mountain of security knowledge seems, frankly, terrifying.
But it doesn’t have to be.
In an earlier post, I took a step back to do a landscape survey of the types of security threats legal teams and their IT counterparts are concerned about. In this post, I am going to take a deep dive into the two major categories of security features cloud vendors offer to address the threats.
Product vs. Operations
All security-related activity in cloud vendor companies fall into either the “product” category or the “operations” category. Product security features are things that directly touch the product or underpinning architecture of the vendor’s technology. Product security features are the bricks, moats, bows and arrows of the castle. Operations features, by contrast, is the army. Operations is made up of the people who hold the shields, who raise and lower the drawbridge, and who control who has the keys to the vault. As a buyer, you should be looking for a vendor who balances the two. The castle won’t stand without the army, but the army is toast without the castle.
Building Secure Technology
As a product person, I’m mostly focused on the product security features category, because these are the items that vie for space on our roadmap and that need to be considered by engineering early in the requirements process. Some of these features deliver vast quality-of-life improvements to our users as well. Consider single sign-on (SSO) and its cousin, multi-factor authentication (MFA). From the buying company’s perspective, both are needed as part of a mature federated identity management approach. From a user’s perspective, however, they reduce friction in the sign-in process and overall reduce cognitive load. Everything we build is built with both the buyer’s and the user’s needs in mind.
Product security features include:
- Multi-tenant architecture:
- Encryption key management
- Identify management services
- Multi-factor authentication
- Granular roles and permissions
- Integrations
Security-Focused Operations for Enhanced Protections
In addition to focusing on the product security features, we partner deeply with our security team on the security operations category. Security operations umbrella over all the people, process, and tools the cloud vendor uses in daily business. Most of these features will be hidden to the buying company and the users. Because security operations are mostly hidden, however, the level of communication and transparency between vendor and buyer is crucial. If a vendor doesn’t show up for the security operations conversation, an alarm bell should sound.
Security operations features include:
- Certifications, like SOCII Type 2
- Background checks for employees
- Secure access to physical plant
- Secure access to production data
- Penetration testing and response
- Threat detection and response
Published July 29, 2020.