The Security of Cloud-Based Business Solutions: A Q&A With Jason Dick

Jason Dick, SalesVista’s VP of IT and Cloud Operations, talks about cybersecurity in the cloud, shared responsibility models, and the one cybersecurity rule everyone should follow.

How did you first get interested or involved in cybersecurity?

Well, I've been somewhat involved in cybersecurity my entire career, but I think it really started in 2000. I took a job working for a company doing customer support, and my customers were all system administrators, so they had a vested interest in keeping their systems secure. We were just releasing our internet products at the time, and I got very interested in how a firewall works and why it was causing a problem for my customer. So, I spent a lot of time learning, and I ultimately ended up giving a class to many of my peers on how firewalls work. And really, that kind of launched my cybersecurity career. Since then, I've just gone on to manage other aspects of it along the way, and it's only getting more complicated.

Are there cybersecurity vulnerabilities particular to cloud-based platforms?

Yeah, this one's a little bit different. I don't think of it as being particular to cloud-based platforms. Cloud-based platforms are nothing but hardware somebody else manages, so all the same vulnerabilities exist in the software and the hardware stack. Somebody else is just managing it. What's unique about it is the lack of control you or I have over somebody else's infrastructure. Cybersecurity in the cloud is really more about maintaining good relationships with good vendors.

Who is responsible for maintaining the security of these systems?

The key is looking for quality vendors. Quality vendors are going to have compliance programs in place, security training for their employees, and they're going to be independently audited. You're going to be able to work with them to see their audits, understand their security requirements, how they're managing your data, what they do to protect your data, what happens if there's a data breach, and how they work with you to manage the breach or any kind of compromise.

What are the most important factors to consider in this cybersecurity context?

Vendor transparency is number one. The other aspect of it is it has to be covered in your contract with the vendor. So, your roles and responsibilities are going to be key and spelling out who's responsible for what aspects of data during what parts of the data flows or during processing of the data. It’s shared levels of responsibility, depending on where you are in the cloud and what you're doing in the cloud, and it depends on some of the regulatory frameworks you’re required to adhere to.

Almost every company, every SaaS based company, in the U.S. today is required to be SOC compliant. That's just the base level of security, infrastructure, awareness, and training. If you're in the financial sector, there are other frameworks like GDPR and PCI. The Payment Card Industry of America has a compliance requirement for protecting cardholder data, for example, which is far more stringent than SOC. And there are several controls you have to meet.

If you're sharing responsibility between your company and your vendors, you need to understand who is responsible for each one of those controls, or if there's a control that has shared responsibilities, who owns what pieces of it? So, the crux of it in the cloud is making sure that those responsibilities are spelled out. And then any remediation that needs to take place, those activities are spelled out and then renumeration if there's a problem — what happens if somebody fails?

Is there a heightened cybersecurity risk associated with integrated business management systems?

Yeah, I think this one is pretty similar. The difference is that you're more explicitly handing over a specific piece of data to another customer, or another company, to do business with and to hold or process your data. So again, how is that data used? Who has access to it? When is it deleted? And what are the implications if something happens to the data while it's in their control?

So, it really comes down to loss of control of your data. And then the rest of those play into the other things we talked about. Who's responsible for what aspects of controlling the data while it's on their site or in transit? And is it spelled out in the contract who does what?

Any cloud-based system, you're going to have that. So, modern cloud frameworks and cloud platforms are built on a myriad of other companies, technologies, and other vendors’ products. Some of them are maybe run locally at your data center, but they interface with a component that another company owns. Many, many, many systems run on cloud-based platforms. So, some portion of data processing is done on that, and my personal view of it is that business systems are no different than any other kind of system, right? Whether it's processing business data, customer personal data, or health data, if it's leaving your site and your complete control, there's an avenue for attack.

What are some common approaches for addressing these risks?

There are multiple layers of this. At the very highest layer we talked about, you're seeking out vendors that do the right thing, have good security hygiene, and follow the best practices. And then your contracts have to support that. But beyond that, it's really about asking if we’re doing the right things. Do we have those good best practices in place?

Take least privileged access, for example. We don’t need unfettered access to somebody else's data. They don't need unfettered access to ours. What is the least amount of access needed to complete a business relationship? Are the methods of sharing that information secure and traceable? Do I have audit logs around those? Can I see who has seen the data, updated it, or changed it? And then, what happens to that data long term? When is it deleted from the vendor site and from all the possible places it needs to be deleted? How do I get confirmation that it's gone? If I hand you a piece of my data and say you can use this for Purpose X, and then when you're done with Purpose X, it needs to be gone. Is there any proof that it's happened? So, not only do they need to get rid of it, but they need to supply information to show it's gone in some way, shape, or form.

Do cybersecurity priorities change depending on what kind of information you're sharing?

I think it could. We're in an interesting time as regulatory frameworks continue to evolve. Personal and corporate data privacy are huge, right? It's all about their data and what's happening to it. In some cases, if data is lost or compromised or even just exposed, there's a legal requirement to notify regulators and customers.

So, in that case, I don't know that priorities change, I think it's really just a matter of being aware of what those requirements are and making sure you bake those into your security policies and procedures. If you have a regulatory requirement to notify within 24 hours, you need to make sure that you're able to capture events that occur and detect unauthorized access to data, so you can report on it adequately within the allotted timeframe.

What is unique about SalesVista’s approach to cybersecurity?

I’ve actually thought about this quite a bit, and I keep coming back to the same thing. We're not trying to do anything that is fundamentally unique from a cybersecurity perspective. We are trying to follow best practices and patterns that have proven effective for combating data privacy, security, and cybersecurity issues — for reducing the attack surface and limiting access — and just following good hygiene. We're not trying to reinvent the wheel here, there's plenty of good material, and there are plenty of good practices to follow. Following best practices really does have a measurable impact on your ability to keep data private and ensure platform security. And I would hope that is not terribly unique across the industry.

What's the biggest risk to cybersecurity? And how do you address it?

Honestly, the thing that worries me the most is theft by an internal employee.

We have cybersecurity training that everybody is required to go through, and those are areas we're constantly looking to improve on, right? I don't want to give the same training every single time. I want to give different ways of looking at the same thing or different viewpoints, different experiences, specific examples of what happened to a company that's been breached or had some sort of problem. It opens your eyes — just attacking it differently. Sometimes just reading a slide is fine. But other times, having an interactive video game is a good way of refining the understanding of what these things mean and how to react in these scenarios.

How do you manage or prepare for client-side risk?

Yeah, we think about clients a little bit differently, right? We're connecting to their business. Our customers are their businesses, and they are sharing their sales compensation data with us. We read data from a customer, and then we provide reporting around it. It's about compensation management, but there's no ability to edit the source data.

Our focus is on narrowing the scope of that data, again, back to least privilege. We only want the data that we need to process, and we want them to grant us the bare minimum access. And likewise, we give them bare minimum access to manage their data in our system. I would say that's the number one thing we do is to make sure that the scope of information exchange is as minimal as possible to complete the business operation. And then on top of that, we have all the security hygiene that normally exists in a company, so that data in transit is secured — encryption, standard encryption, and security keys. We don't allow open access to anything. You have to have an account. It has to be authorized, and somebody has to vet you.

With customer data access, they have an account administrator, and they can share access to their data within their company. There's an entire access layer inside of our SCMS application for people that have access to the application — and what they can and can't do within the application. And nobody can change any data in the application.

So, when a customer is using our platform, their employees are never going to be able to go in and edit some record in our system to change their commission. And there are two pieces to that. First, almost all that data is read only, so nobody can change it. Then, for the compensation planning pieces of it — where we design compensation plans for companies — those are restricted to the individuals the customer grants the right to create or manage those plans. So, not every sales rep can go in there and change it. They can see their plan, but they can't make any changes.

This is standard for any large SaaS application. There's a security framework that exists with permissions set, and we can turn those on or off for each account and each person.

If you could make everyone in the world follow one cybersecurity rule, what would it be?

Some variation of, “Don't click the link!” Just be aware of unsolicited requests for information, whether it's an email with a link saying “Click here. Your bank accounts been compromised,” or a text message with a link, or even somebody calling you saying, “Hey, I forgot this thing. Will you please share this piece of information with me?”

Whether it's email, chat, or a phone call, know who you’re talking to — and authenticate their identity.