”We conduct at least as thorough security controls as government agencies” – Kim Hindart, CSO at City Network
At the present a lot of sensitive data moves from corporations and government agencies own data centers to cloud providers. This means that more organisations and personnel are involved in security processes, on all levels. It’s not enough that the corporation or agency owning the data has data protection policies and processes in place. The cloud provider must provide, at least, an equal degree of security measures to close the loop and ensure that data is kept safe.
Screening of personnel
One core activity when it comes to security is the control and screening of personnel. Why is this really necessary? Doesn’t the large scale nature of cloud platforms make it possible to automate the protection of sensitive data?
̶ There’s a belief that encryption of sensitive data will solve security problems. But it’s very difficult from a technical standpoint to encrypt data that are used frequently, says Kim Hindart, CSO at City Network.
The bottom line is that a cloud provider must let some of its employees get theoretical access to their customer’s sensitive data, in order to provide some services to the customers. This could be for instance managed services, advanced trouble shooting of customer specific storage solutions, or similar.
It goes without saying that those employees must be exceptionally trustworthy. Exploiting an employee with access to data is an easy way of gaining access, so an employee who’s susceptible to blackmail, or just being greedy, is always a severe security risk.
Sub contractors and security controls
And there are more things to consider than the cloud provider’s employees, for example sub contractors.
̶ We never let any sub contractor get access to our customers’ data, says Kim Hindart.
Regarding the employees at City Network that administrates customers’ data, there are several layers of security controls:
̶ We perform at least as thorough security controls as government agencies. To begin with we check police records, also if there’s any problems in the financial history, and we check references. But that’s just the beginning, says Kim Hindart.
Vote of 7
Passing the initial controls doesn’t mean that a person can administrate customer data. An evaluation period of approximately six to twelve months follows the start of the employment. In order to pass the evaluation, and be cleared for handling customers’ data, an employee must be approved by seven different people at City Network, each with a different role at the company.
The following are examples of people evaluating a new employee:
- Security specialists.
- Business managers.
- Technical managers.
- HR personnel.
Only when all seven people have approved the employee, he or she is allowed to work with customer data. Also, passing the evaluation is a minimum requirement for working with City Network’s compliant cloud offerings, in any capacity.
How do City Network’s customers react to the security controls of its employees?
̶ We do get some questions about this from our customers, there’s clearly an interest. We try to be a forerunner when it comes to security. We also notice that some companies copy our processes and sometimes even force their other providers to follow suit, which is positive for the cloud industry as a whole, says Kim Hindart.
What about the employees, how do they react to the security evaluation?
̶ Young employees know that a security evaluation will be performed, it’s not a strange procedure to them. Some older employees will just have to get used to the procedure, says Kim Hindart.
And what about the competitors, are evaluations of employees like the one City Network performs common place?
̶ I think we stand out in that respect. There are certainly more people involved in managing customer data, at some of our competitors, says Kim Hindart
But this is likely to change. For example, security processes of different kinds, including controls of employees, are getting more common as requirements in procurement processes. There’s a strong tradition of regulated procurement from government agencies and municipal agencies in Sweden. So this is not strange to City Network, being a Swedish company from the start.
Being a Swedish company also means being used to strict security regulations. For example, according to the highest security classification only EU citizens are allowed to perform some tasks. And what’s more, EU’s GDPR (General Data Protection Regulation) provides additional safety for data.
Finally, Kim Hindart gives a piece of advice to cloud customers who care about the safety of their data:
-Make sure to keep track of your cloud provider’s sub contractors and outsourcing partners. Regardless if you use a cloud provider or not, it’s your responsibility to ensure that every individual with theoretical access to your data has passed a risk assessment. The easiest way of doing this is to make sure that your provider is already conducting background checks.
Also, by extension, some cloud providers have personnel in countries that are dictatorships, which is something to look out for. There’s a higher risk of governments applying pressure on individuals, for example to give access to sensitive business data, in countries of that type.