Get Over Your Cloud Security Concerns
I am amazed that I still encounter folks who adamantly argue that their company will never move something as sensitive as their customer communications management (CCM) to the cloud. Each time I hear this, I proceed as though it’s the first, and I patiently pose the same series of questions, starting with, “Why is that?”
“Because we can’t let our protected customer data outside of our firewall,” they insist.
Now by “protected”, they mean protected by regulation or legislation, and are usually referring either to protected health information (PHI), or to personally identifiable information (PII). The latter has been the larger concern of late, thanks to the new California privacy law which shares similarities with the European Union’s GDPR.
By “outside of our firewall”, they mean outside of what they believe to be a secure network, usually (but not always) inside the company’s premises. They know that CCM uses customer data for personalizing and contextualizing communications, and they are worried about the security of that data as it moves across the Internet. This concern is closely tied to a commonly held belief that on-premise application deployments are more secure than cloud-hosted applications.
Hold that thought.
“Oh, I see,” I say, “and in what system(s) do you store that data?”
There are always multiple answers to this question, depending upon the role of the person with whom I’m speaking, the company they work for, and the industry in which they operate, spanning the gamut from mainframes to data lakes. But there is also always a common denominator in there somewhere: a CRM system.
“Really?” I feign surprise.
At this point, I know that the basis of the expressed concern over cloud security is cultural and not technological. And that’s when I try to turn the light bulb on and shed a new light on some basic facts and overlooked fallacies.
Cloud CRM Means Cloud Data
According to Gartner Research, Inc., the cloud currently hosts about 75% of all CRM deployments. Chances are, your company is (or soon will be) in the majority, and is already using a cloud-hosted CRM system. If so, then the following fact applies to you.
If the CRM your company uses is hosted in the cloud (think: Salesforce, NetSuite, Zoho, etc.), then the data stored in those systems is also in the cloud. As a result, that data is already outside of your firewall.
Did I just hear a flicker? Maybe that was a gasp.
Data security focuses on three states: at rest, in use, and in transit.
If your company is using a cloud-hosted CRM solution, then your company is entrusting the security of your protected customer data while at rest to the CRM vendor. That means the CRM vendor is responsible for securely storing your company’s data…outside of your firewall…in the cloud.
Furthermore, your company is trusting the CRM vendor to secure the CRM application environment (also called an “instance”) while it’s in use…outside of your firewall…in the cloud. And that means securing all possible entry points to the application environment, not just the application login page.
By the same token (pun intended), your company is entrusting the CRM vendor to secure the connection between their servers and your company’s devices (desktops, laptops, tablets, etc.) whenever an employee accesses the CRM…hosted outside of your firewall…through a web browser or other application…somewhere across the vast Internet.
At this point, that light bulb should be glowing brightly. If not, then I have them consider other places where their company’s data flows beyond their firewall. This includes mobile applications (usually used on third-party mobile networks); customer web portals (accessed remotely via a browser); and even things like on-premise devices (ATMs, credit card machines, etc.) that communicate with remote servers…outside of the company’s firewall.
Cloud Security Overview
This is also the point at which I get to talk about the security of cloud applications, and how that security is often more stringent than on-premises application deployments.
I cover the same states: at rest, in use, and in transit.
First, I talk about the (admittedly non-unique, best-practice-driven) way my company has carved off areas where sensitive data is stored; putting each customer’s data in its own, separate environment (encrypted Amazon S3 bucket); and how the data itself is then encrypted using military-grade (AES-256-XTS) algorithms.
Then, I discuss how application users must be authenticated using industrial-strength identity and access management protocols (LDAP, OAuth, etc.) and security certificates (X.509) in order to gain access through a demilitarized zone to the application environment. And how even the interprocess communications within the environment are secure through the use of containers, configuration management, and an API gateway with a registry service.
Finally, I close by describing how we use encrypted tunnel connections between data sources, end users, and the application environment (TLS 2 using Symmetric 256-bit encryption) so all transmissions to and from the cloud environment are also secure.
At that point, my interlocutor might be a bit red-faced, as they realize that what I just described really is at least as secure as (and sometimes even more secure than) their on-premises application environment. However, they are also very willing to continue the conversation.
When they do, they learn about the benefits of a “pure cloud” solution, beyond security: how leveraging the public cloud lowers their overall costs; how the SaaS application addresses current use cases across their organization; and how having access to the underlying microservices through open APIs provides the flexibility to solve for future use cases as they emerge. By the end of the conversation, we’re discussing ways to co-innovate and help accelerate their digital transformation.
Ready to Move to the Cloud?
Right now, you’re probably thinking about your own protected customer data and how secure (or not) it is. You’re tracing the routes your data takes through your various systems and applications to your end-users.
And you’re wondering whether or not your company is ready to move sensitive operational infrastructure like CCM to the cloud.
Stop wondering. You already know the answer.
John Zimmerer is the senior director of marketing at Topdown, where he leads market research and outreach efforts for the company's customer communication management (CCM) and digital customer experience products. Most recently, Zimmerer has been researching and writing about the future direction of the technologies that power customer experience (CX), and is regarded as a thought leader in this area. Visit the Topdown blog, connect with him on LinkedIn, or follow him on Twitter @johnzimmerer.