This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
It’s a business nightmare that we’ve actually seen quite a few times.
- A business locked out of a server containing important documents.
- A cloud application giving a business no visibility into data security or compliance.
- A website hosting provider going radio silent when a business needs to access the website’s backend.
Control over your data is important for a variety of reasons. You need access to data for business purposes. You need to ensure your data is secure. And you need data governance to meet compliance requirements.
So how do you maintain control over your data when someone else manages your network, applications, and/or website? This article offers some tips and best practices to help you keep control. If the below assessment worries you, then you may need to work with your existing IT provider (or a get a new IT provider) to get your data under control.
1. Assess any current vendors with access to your data.
This seems like an obvious point, but many businesses find themselves in situations where they did not vet vendors thoroughly before giving them access to important data. Whether a managed service provider, cloud application provider, or website hosting provider, it’s important to ask:
- Who will have access to your data? Who is managing it? Will you know the people who access your data? What kind of background checks are conducted on these people?
- What data will they be able to access? What boundaries exist to prevent unauthorized users from accessing sensitive data?
- Where is the data stored? In the United States? Somewhere else in the world? What happens if you were to sue for access to your data in case something goes south with the vendor relationship?
- How is your data stored? In a cloud data center? A traditional data center? On your premises? Is your data intertwined with other customer data?
At a high level, you need to make sure that vendor employees don’t have arbitrary access to sensitive business data and that high data security and governance standards are upheld. If a vendor is not forthcoming or unwilling to answer the above questions, then you may want to consider another vendor.
2. Create clear data access and authorization policies.
If you don’t have data access and authorization policies, then how can you effectively evaluate whether or not a vendor is violating those policies? Some important steps include:
- Establishing clarity around business access needs versus technical access needs: Just like each of your employees only needs access to the data required to do their job, your vendors should follow the same philosophy. For example, a managed service provider may need temporary access to a server to solve a specific technical problem. However, they should not be logging into that server—or have user access to that server—for non-essential reasons. Clarifying those boundaries is very important, and your vendors should be transparent about how they maintain those boundaries.
- Clarifying upfront your need to access data related to your business role: Your data is an asset—your asset. Thus, authorized people within your company should have access to that asset. Clarify that someone in your business can access important servers, applications, and websites. In other words, if your IT provider became suddenly unavailable, could someone from your business access important data? If the answer is “no” or unclear, then you need to turn that answer into a “yes”—even if it means getting a new vendor.
- Creating a strong password policy: Ideally, using a password manager along with 2FA (Two Factor Authentication) will ensure that passwords remain strong, regularly changed, and hard to steal. Weak password practices (such as using simple passwords or sharing admin passwords) makes it easier for employees and vendors to log in without authorization. Plus, a password manager can help you avoid the problem of forgetting your password or having to ask the vendor for access.
- Working with your IT provider to monitor and control user accounts: This includes making sure you have access to important data while also clearly restricting vendor access to data. Both you and your managed service provider should be able to monitor who can log in, and with what permissions.
- Including mobile devices and bring your own devices (BYODs) in your access and authorization policies: Mobile devices and BYODs can be weak data governance points. Make sure that data access and authorization is just as strict—but also possible—for people using mobile devices and BYODs.
3. Consider private cloud hosting for critical data and applications.
Businesses may commonly hear about public cloud hosting, and many vendors are go-betweens as they host your data in big cloud data centers. This adds a degree of risk if your data is particularly sensitive and confidential. In most cases, these risks are mitigated if a vendor is trustworthy (see below), but private cloud hosting is a way to reduce data access risk even more.
Private cloud hosting works just like public cloud hosting but keeps your data separate from any other customers, allows for greater security, and offers you a dedicated team that oversees your data. You may just want to host part of your data, such as your most critical data, in a private cloud hosting environment. Otherwise, you may have to wait a long time until a top tier cloud hosting provider gets to your support request about your inability to access your data.
4. Ensure that you are logging and auditing.
If you do run into data access issues, it helps to have logs and audit trails. Typically, logging exists to help IT professionals diagnose problems. However, it also helps to analyze suspicious user behavior. Think of it like evidence needed if you want to demonstrate that unauthorized users are accessing your data. Without logging and audit trails, you will not have any record of vendors possibly accessing your data in an unauthorized way.
5. Evaluate the trust of any provider you use.
If you are making a decision about a new vendor—whether a managed service provider, application vendor, or website hosting provider—then you need to assess how much you can trust them. Luckily, some ways exist to make this evaluation:
- Longevity and stability: We’ve encountered horror stories from time to time when a startup suddenly went under and a business had a matter of days or weeks to transfer their data to another provider before it disappeared forever. In a world with thousands upon thousands of vendors, look at a company’s longevity, stability, and public track record. That doesn’t mean you can’t trust a startup, and many are best-of-breed. It just means that you need reassurances that they won’t disappear on you tomorrow or next month.
- Large team with depth and breadth of experience: Look for vendors with large, experienced teams so that you are not relying on one person or a few people who may not know how (or are not always available) to help you. If an important point of contact leaves a small vendor, you may find yourself in a situation where no one there quite knows how to help you access your data. Large teams will also more likely have enough expertise to handle complex data access issues.
- References: Look for references. Read the company’s case studies. Talk to their customers. Ask your network about the vendor. If references and reassurances are lacking in this area, then it could indirectly signify a poor track record and lack of trust with customers.
- Proposals and agreements: Examine the vendor’s proposals and agreements carefully. For example, Google is upfront and clear about data lifecycle, access, security, and compliance. If a proposal seems fuzzy, unclear, or alarming to your legal team, then work to clarify the language or consider another vendor.
Data access and authorization is one of the most important aspects of your IT strategy, and you need to make sure another vendor doesn’t hold your data hostage. The above tips and best practices should help you think through your current situation, work with your vendors to get more clarity around data access, and possibly get you to start working with new vendors if you see red flags with your current situation.