In our podcast episode, Anthony Green, CPABC’s manager of security operations and compliance, speaks with Pax8's Mariane Louvet, director of sales in Canada, and Matt Lee, senior director of security and compliance, to get their insight into best practices when selecting a cloud service provider. Part of our Coffee Chats with CPABC podcast series.
It’s become common practice for organizations to use a cloud service to store data, ranging from employee and workplace information, work files, to client data. With the ever-increasing amount of data companies are responsible for, legal privacy requirements, and cybersecurity concerns, there are many considerations to address when selecting a cloud service provider.
CPABC’s manager of security operations and compliance, Anthony Green, recently spoke with two members from Pax8, a company that simplifies the way organizations buy, sell, and manage cloud solutions. In this conversation, Mariane Louvet, director of sales in Canada, and Matt Lee, senior director of security and compliance, shared their insight into best practices when selecting a cloud service provider.
The full interview is available in this podcast episode, part of our Coffee Chats with CPABC series. Below are some highlights from the conversation.
There are a lot of things to look out for when selecting a cloud service for your business, and one of them is ensuring that a cloud service has data encryption. So, what does this mean and why is it important?
Mariane: Accountants work with sensitive and confidential client information that must kept secure. Therefore, it’s very important to ensure your data is encrypted. The goal of encrypting data is to make sure only the intended user can view and edit documents.
What makes data encryption more important than ever before, is that many of us are still working remotely, and when we do return to the office, it will likely be a hybrid model. The practice of sharing files remotely, whether files are being shared from different sides of the coast or in the same city, emphasizes the need for data protection – and ultimately data encryption.
Matt: We all have responsibilities as data holders and custodians, and you have to be able to prove you've done your due diligence. Having embedded encrypted systems inside cloud services, and making sure universal settings are in place so that you can adjust these systems, will allow you to protect sensitive data in a systematic way.
Two important terms for our audience to understand are encryption at rest and encryption in transit. Can you explain what these terms are and why they are important factors to consider when choosing a cloud service provider?
Matt: For data at rest, think about your laptop being left in the back of your car and stolen. Since your laptop is not in use, the data is at rest. And since your laptop is locked, the information is secure and whoever steals your laptop won’t be able to use the contents. That is what encryption at rest means.
Data in transit is when your data is in the process of traveling from one device to another –for example, when you send an email, your data will travel from your laptop to your recipient’s device. But someone might try to steal your data while it’s in transit. If your data is encrypted (coded), then it means even if it’s intercepted along the way, attackers won’t be able to interpret the data. This is what encryption in transit means.
At CPABC, we’ve previously discussed the importance of multi-factor authentication (MFA). In addition to MFA, single sign-on (SSO) authentication is another important feature to have in cloud service providers. Can you explain what SSO is?
Matt: That’s taking the idea of MFA and making it easier for the user in a trusted way. Once someone has gone through all the steps of MFA, SSO takes the user authentication and extends it to all the other websites or apps they use. This saves time, especially when you think about how long it can take to find different passwords, reset passwords, etc.
Let’s say you’re signing into the Starbucks app. If it’s connected to Facebook, and you’ve previously signed into Facebook, then the Starbucks app will ask, “Would you like to sign in with Facebook?”. You can then simply tap ‘Yes’ and be directed into the Starbucks app. That is SOO.
Mariane: Cloud services with integrated MFA and SSO allow you to access what you need faster, easier, and in a more secure manner. SSO reduces the human touchpoints. The chances of a security breach are reduced because you have less points of entry and it also alleviates the hassle and stress of forgetting and having to reset passwords.
When looking for a cloud service provider, you might see disclaimers that say that your data may be stored outside your home country. Why is it essential to know where your cloud service is located and why should you take this into consideration when choosing a cloud service provider?
Matt: Privacy and governance should be top of mind when you’re looking for a cloud service provider. Data is everything, your money, your business, so data sovereignty matters. If you're operating in another location, you may not have the same protection that you expect to have if you were functioning inside your local area.
In the same breadth, you might have new laws to deal with. GDPR might apply where it might not in some other cases. You have to know the laws of each local jurisdiction and the things you need to have in place to be able to prove you’ve done your due diligence.
Mariane: In Canada, every province has different requirements and different laws and it’s important to stay up-to-date. Canada has the Canadian Digital Privacy Act (CDPA), which is currently being amended. It's being tabled to include additional security measures to protect the consumer and end-user. Quebec recently passed a new law that is going to be coming into effect in 2023.
Another factor to keep in mind is where are your customers located? Perhaps you have customers located outside Canada. How are you supporting those international customers who may be overseas? It’s important to do your research on applicable data privacy laws based on your customers’ locations.
Some cloud providers say that they are compliant and secure because they are using AWS or Microsoft Azure, yet we see some of these providers getting breached. Do you know why this is?
Matt: Unfortunately, we live in this paradox where people believe there is an absolute win in security. Antivirus software that promise “100% malware stopped” or that “no threat actors can get in”, or “we stop hackers”, can set consumers up for false security.
What we have to do is reduce the blast radius. We have to reduce how much a compromise can affect us. How many businesses out there have systems where all their client data is in a shared drive for employees to access? Maybe employees should only have access to the clients they work with. And maybe once you’re finished working with a client, their data should be archived so it won’t be as highly at risk if your data gets compromised in the future.
Cyber attackers are always going to find new ways to get in. Being compliant doesn’t mean you’ll always be secure – they’re not the same thing. We need to ensure we have policies in place to make sure you can only access what you need, so the blast radius is reduced. It's everyone's responsibility to be more secure and reduce the impact of risk.
Mariane: We should all keep in mind that compliance and security complement each other. They're two different frameworks that go together, but have to be approached differently.
Vince Kanasoot is a communications specialist for CPABC