In a time when everyone is trying to realize the promise of digital transformation, many organizations are migrating their infrastructure to the cloud.
But it’s important to remember that not all clouds are created equal. One cloud may be designed using best practices for security, but another might cut corners, placing your sensitive data at risk.
There’s also the issue of scale. An organization might start by using just one cloud provider, but soon find itself using dozens—and even hundreds—of different providers.
Indeed, there are risks and benefits to cloud data integration and cloud BI providers—and you need to understand them all before moving to the cloud or choosing a new cloud provider. And a good way to get there is by asking yourself or your potential provider these questions.
Does the provider fit your company’s size and security needs?
Many organizations are subject to a high degree of regulation and are frequently audited. The cloud provider must be able to demonstrate a proven track record of managing highly controlled and regulated data.
Look for compliance certifications, including SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR and CCPA.
Compliance also includes audits and security assessments. Domo completes multiple audits and assessments on an ongoing basis, including third-party network and system penetration tests.
The providers you look at should also have a comprehensive audit program in place to help your organization pass your own third-party and regulatory audits.
Can the provider keep up with change and risk?
Changes in cloud software happen so rapidly that by the time your next annual vendor review comes around the vendor may have hundreds of new features. In fact, some may even have changed their entire technology stack.
Ensuring there are key controls in place to manage this influx of change is critical. Otherwise, the constant changes can open your organization up to unknown vulnerabilities.
Organizations should require their cloud provider to notify them of any significant changes to the product. And the contract should have a clause that states the provider may not materially lessen the security controls during the term of the contract.
This ensures that while there will be innovation through constant change, the provider can’t weaken the security program that you have previously reviewed and approved.
Look for providers who have a track record of delivering new product innovations while ensuring that security is never compromised.
As you review new features, consider where your data has potential for exposure. With every new feature that is released, from low-code apps to cloud data warehouse integrations to embedded analytics, Domo bakes in ongoing review of security standards to ensure security compliance.
Many cloud providers, including Domo, have implemented a product council or customer advisory board to discuss upcoming product features and evolving security policies.
Ask to be a member of the cloud provider’s product council; this will keep you up to date and provide valuable feedback on the cloud provider’s roadmap.
Many cloud providers also maintain product update pages (such as Domo’s New Features page) to inform their customers of new product changes.
Reviewing these updates ensures you won’t miss any new features that would let you further increase the security of your data in the cloud.
What visibility and control is available?
It is important that your organization continues to have full visibility into how its data is being stored, processed, accessed, and transmitted in the cloud.
Any service agreement with a cloud provider should clearly describe how the organization’s data is managed and protected.
Apart from strong contractual controls, the organization must have near real-time visibility into how the provider is managing its data.
A continuous monitoring model will allow you to pull all logs into your own Security Operations Center (SOC) to look for anomalies or changes.
Also, look for Responsible Disclosure Programs (like Domo’s) that encourage responsible reporting of potential security vulnerabilities and collaboration with security researchers on any issues that are identified.
In addition to transparency, control of your data is key. Any provider you use should be able to align to your existing data governance models.
Look for metadata management capabilities and ways to ensure data quality. For example, Domo provides data lineage tools that give you complete visibility to the content and status of datasets.
Also look for data certification capabilities so you can establish trusted datasets. Then consider what controls you might need in place to share data outside your company with embedded analytics tools such as Domo Everywhere.
Can I avoid turbulence?
Cloud providers should be able to offer a far more secure model than legacy, on-premises providers.
Some security features to look for include least privilege and separation of duties access models, transport layer encryption and encryption at rest, as well as logs for network, system, and application events.
You should also look for customer-managed security features that let you stay in control of your data and align with your existing security requirements.
In Domo, these features include SAML-based SSO, multi-factor authentication, IP address restrictions, and security profiles.
Domo also provides Bring Your Own Key (BYOK) encryption that allows you to rotate encryption keys several times a day.
Make sure you do your due diligence up front to select the cloud providers that can meet and exceed your security requirements.
Otherwise, you may be left with unsophisticated providers that can’t adequately protect your data, and your journey to the cloud could be a turbulent and costly one.
To learn more about how Domo meets the enterprise security, compliance, and privacy requirements of organizations in highly regulated industries, click here.