In today’s data-driven landscape, companies of all sizes are eager to have fast access to all data, regardless of its location. Accessing data quickly, in order to obtain actionable insights and meaningful information can be a challenging task, though it is critical that security remains a topic during the due diligence process.
Assessing the security of a data access solution before purchase allows an organization to ensure the product meets both use case needs and compliance requirements, which saves valuable time and effort – especially if your company is held to rigorous data protection regulations, such as GDPR or HIPAA.
When your business is working to solve scalability and data management challenges, security should not be treated as an afterthought. Verify that the high-performance analytics engine you select has the following security elements in place:
- External audit compliance: Ensure the enterprise data management solution you select has undergone an external audit, to confirm they are compliant with a nationally or globally recognized security framework, such as SOC for Service Organizations: Trust Services Criteria (SOC 2). An external security audit validates that an analytics engine has identified security risks and put in place systemized controls for defense-in-depth.
- Ongoing code scanning: If your business is in the market for a platform that will allow you to assess data from dozens of unique sources, their technical security controls should be robust. An essential component of application security is regular static code scanning. Make certain that the data access platform you select can evidence continuous code assessments, so you have confirmation that they are regularly identifying and remediating legitimate, exploitable vulnerabilities.
While speed and scalability is important when choosing a platform, security should be included in the drafting of the business case. Both software composition analysis (SCA) and static application security testing (SAST) should be completed by the vendor and assessed by your business as part of the procurement process.
- Vulnerability management through penetration testing: Modern data management requires the use of platforms that meet or exceed security best practices. Frequent penetration testing or security assessments against the OWASP Top 10 list evidence that a data access solution is evaluating cyber risk against the latest research and vulnerability information available. An organization’s ability to quickly identify and remediate real-world attack vectors means that security weaknesses are categorized as a business risk. This provides the consumer of the data access platform with verification that the provider prioritizes threat identification – a cybersecurity best practice.
- Integrated risk management: When assessing data analytics solutions, defense in depth through integrated risk management should be considered table stakes. Cyber risk should be handled by the vendor holistically – meaning they continuously assess threats to guarantee that IT risk does not exceed a predefined business threshold.
This is done by maintenance of an incident response plan (with an option for customers to report issues or vulnerabilities directly to a security team, available 24×7). Continuous threat assessment is also achieved by management of a risk register, which warrants that the data analytics engine has evaluated the probability and impact of vulnerabilities and code deficiencies.
- Limited data access and sharing: If your business wants fast access to data sources, how do you still ensure you maintain privacy over your company’s data? Through the data protection best practice of “purpose limitation”. Verify that the data access platform you are evaluating is limiting their access to your data. Can the solution operate without needing access to your information? If they do require access to your data, is it limited to least privilege?
When handling a resource as precious as data, security is too critical to put on the back burner. While you undergo the procurement process for a data access solution, reduce the level of supply-chain risk by appropriately vetting providers.
Ask the right questions of the analytics engine provider to identify their level of commitment to a robust security posture: confirm external audit compliance, ongoing code scanning, pen testing, integrated risk management, and data access limitation to ensure the vendor you select meets both business case and compliance requirements.