Skip to main content

A risk-based approach to security

Security
(Image credit: Shutterstock / NicoElNino)

If we are honest, cybersecurity is far from the most exciting element of a digital transformation journey for an enterprise. It is however, likely to be the most essential. After all, we live in a world where sensitive information is stored and precariously passed across multiple systems, clouds, and platforms.  And the threats continue to grow to take full advantage of this dispersed array of information.

Thankfully, we have already arrived at quite a sophisticated level of cybersecurity response. Although most technology professionals would agree it is far from ‘job done’, it is clear that security takes on many forms — all with different degrees of complexity.  Whilst this offers sophisticated responses, it can also mean that implementation is anything but simple and straightforward. 

Back to basics 

To make that implementation more effective (and hopefully simpler) it is worth remembering that the need for security often stems from three key areas of risk: compliance, portability and identity/access.

1. Compliance: implementing the latest government regulations

First and foremost, any organization needs to be compliant with the latest domestic (and in some cases, international) regulations, standards, and policies.  

For example, in the US, compliance regulations like HIPAA and the Payment Card Industry Data Security Standard (PCI DSS) are designed to protect both the business and its consumers. These guidelines govern exactly what each business must protect (for example a customer’s Social Security Number). 

From there, HIPAA, PCI DSS, and other standard frameworks of compliance requirements are translated into specific security controls that a business must implement to stay compliant. 

There is often a great incentive to embrace this aspect as non-compliance can result in significant financial penalties, customer distrust, and a rapid deterioration of the brand and reputation of a business.

2. Data portability: Keeping sensitive information from falling into the wrong hands

Data is needed everywhere – and often at speed.  As a result, the ability to safely store and transfer data across multiple platforms, systems and clouds is mission-critical for any modern enterprise. 

Whether this sensitive information is at rest or in transit, security controls like data encryption, data masking, and tokenization are all proactive ways to keep it from falling into the wrong hands. 

While secure data portability requirements are often tied to data privacy regulations like GDPR,  many businesses have learned (and some the hard way) that having security controls in place, that go beyond these compliance demands is a smart best practice for treating sensitive data, and should be implemented across the organization. 

3. Identity and access: Who can see sensitive data? 

Security must not only secure the data itself but also who can access it – and the distinction is important.  Identity and access management controls which users are allowed into the system. For instance, companies typically add a layer of security to the user identification process by requiring CAPTCHAs and two-factor authentication.

Once the user is authenticated, access management takes things one step further by defining exactly what they are authorized to see or access. A user with higher clearance levels may be able to access sensitive or privileged information while a generic user may not – and of course these levels of access can change over time. 

Access controls often take the form of permissions that are granted at the user level.

Getting business-specific 

Even with just these three broad definitions, it quickly becomes apparent that there really isn’t a cookie-cutter approach to protecting a business from data breaches and security attacks. 

Each business has a unique tech stack and its own mandated regulations and internal requirements. Each business faces different threats from different parties because the data at risk can range from credit card details and medical histories to classified information or new product research.

Consequently, even though the need to secure is universal, the nature of that security is highly personalized. This means that any technology must reflect this idiosyncrasy and enable a business to proactively manage and continuously improve its security posture. 

This demands that the business can access suitably qualified, experienced personnel, such as CISSP-certified security experts – that can assess the current state of an organization and then tailor a plan to tackle those compliance and security needs.

Even at this early point, it is important to consider issues of the return on this investment.  Security can be tough to measure. While security controls can prevent issues from happening, it’s difficult to quantify the value of what has not yet occurred. 

Security improvements can sometimes go hand-in-hand with operational and process evolution but it is undeniable that better security does come at a cost.  It is therefore important to evaluate each security task from an ROI perspective so a business can prioritize the tasks that generate the most value. 

Because threats are constantly evolving, regulations are frequently updated and businesses themselves evolve, this whole process must be dynamic.  This means there must be regular check-ins with the dedicated security expert to ensure any action decided upon remains relevant and effective.

This leads to the issue of implementation.

Putting it into play 

A customized, regularly reviewed security strategy is where businesses must start, but it remains impotent if it is not actually implemented. 

It is at this point that businesses often see the breadth and depth of action needed to ensure full security.

For example, at the level of securing applications, a business can create simple compliance rules to manage requirements (like access and permissions) with no coding or development required. These rules can then be added as a quality gate as part of a CI/CD process so that a compliance scan is automatically checked every time that business makes a Salesforce release. This guarantees that the business proactively manages and enforces compliance for every change made to the Salesforce environment. 

When a compliance check is triggered, any violations can be sent via a real-time email alert so the business can take immediate action to mitigate the security risk. The last step is to then compile these activities in a centralized way to make reporting and auditing as simple as possible.

It is granular thinking like this, repeated many, many times that pinpoints the work that needs to be done to streamlines changes for continuous improvement, and automates processes so that a business can keep up with the demands for quick delivery — without sacrificing quality or security. 

This also demonstrates how the three issues of compliance, portability and access can be brought to bear on securing any level of activity within a business.  

This is important because threats posed to businesses will only increase and any weakness or area of exposure will carry with it an ever-increasing risk.

Andrew Davis, Sr. Director of Research and Innovation, Copado

Andrew Davis is senior director, product marketing, Copado and author of Mastering Salesforce DevOps.