At Kaliber, we combine technology and strategy to provide a 360 degree view of your IT security posture in a way that reduces risk, streamlines compliance and strengthens business relationships.
Kaliber Data Security understands that you and your team are not in the data security business, but your data security needs are no less critical than those of the largest enterprise.
It is Kaliber Data Security’s unique position and perspective that directs our approach to equip and enable you to secure your business information. We know that you and your team are your first and best line of protection, and that effective data security starts with you understanding your needs, risk, vulnerabilities, consequences, and options. Unlike many technology-centered data security providers who start and end only with the latest technology solutions, Kaliber is your trusted business advisor. We know that the only way to effectively equip and enable you to implement and execute custom-tailored data security starts with us learning your business through listening, attentiveness, communication, and collaboration.
Ken is a business consultant skilled in the areas of Information Security, Risk Assessment and Compliance. He has deep experience developing methods for risk management and information security process improvement that have helped organizations integrate information security into their corporate strategy.
As a thought leader, Ken has worked with business leaders to help them understand that they can improve their financial performance by treating cybersecurity, as not merely a technical issue, but rather a process that involves employees at all levels of an organization and is integral to business success.
With 10+ years of relevant, hands-on experience in security services and experience leading and driving major security programs with repeated success in the areas of risk assessment, employee awareness and regulatory compliance, Ken is a valuable advisor to organizations looking to reduce risk and improve their data security posture.
Ken holds Bachelor’s and Master’s degrees from The Johns Hopkins University as well as an MBA from the Harvard Graduate School of Business Administration. He attained the CISM certification and currently serves on the board of several SaaS companies as well as being an advisor to the Brandeis Graduate Professional program in Cybersecurity Leadership.
The Trust Discrepancy
Most organizations are concerned about data security when it comes to storing, managing and accessing information in the cloud. They should know that the chances of in-house systems getting compromised are actually much greater than modern cloud-hosted systems. However, that’s only possible when SaaS providers adopt security best practices.
At Kaliber, we think of SaaS companies as the filling in a “security sandwich.” SaaS companies are in the middle of having to protect the data of their customers while owning the responsibility to configure and monitor the security parameters of the hosting services on which their products operate.
What must a SaaS company focus on when building their security sandwich?
Identity Management
The first and most important level of protection is identity management: The proper validation of users: their roles and their passwords. SaaS companies must build for secure customer access as well as establishing proper roles for internal developers, support staff and marketing teams.
Multi-factor Authentication and Single Sign-On
Internal users and their roles should be supported by Single Sign On (SSO) tools with multi-factor authentication for credential protection and enforcements. Similarly, SaaS software needs to support SSO connected to their customers’ internal systems which both enhances security and improves the customer experience.
End-to-end Encryption
End-to-end encryption means that all user-to-server interactions are carried out over SSL transmission, which should only terminate within the provider’s network. Additionally, full database encryption should be used for customer databases and field-level encryption should be used for highly sensitive data such as financial, identity or health information.
Rigorous Vulnerability Testing
Businesses need to carry out ongoing and rigorous vulnerability testing to ensure that all off-the-shelf software is up to date. Many commercially available tools offer automated security assessments which identify which software may have vulnerabilities so that patches can be applied as soon as possible.
Secure Code Analysis
Web application security must be a key focus of SaaS developers. Improperly written internet-facing webpages can be vulnerable to attack and provide an avenue for theft of customer data. Regular code analysis which identifies improperly written web pages should be performed and the pages re-written to eliminate any discovered bad coding.
Incident Response and Patching
Providers should have a clear policy for patching known issues or libraries, especially those that have been reported publicly.
VPCs and VPNs
Virtual Private Clouds and Virtual Private Networks provide secure environments for isolating data and supporting secure connections.
API Protection
A rapidly expanding trend is the use of Application Programming Interfaces (APIs) to support data interchanges whether between internal applications or to external third parties. APIs and API Gateways need to be protected by an authentication method for secure transmission.
Intrusion Detection
The very first line of defense for a hosted software system is an Intrusion Detection System (IDS). Host-based systems apply their detection at the host level and will typically detect most intrusion attempts quickly and notify you immediately so you can remedy the situation. Modern IDS’s utilize either signature-based systems – looking for bad known things that have been sign before – or learning-based systems. Learning-based systems build a database of one organization’s “normal behavior” and then reports when it detects “non-normal” activity.
Penetration Testing
Only a qualified third party can truly attest to the efficacy of the items outlined above:
– Are credentials well protected?
– Are communications and data properly encrypted?
– Have software vulnerabilities been patched?
– Is in-house developed software secure?
– Are VPC properly configured?
– Are APIs protected?
Detailed penetration tests should be performed annually and any findings should be remediated in a timely fashion.
Logging
It is important that SaaS environments log all system events which include security-critical events that help in ongoing audits and monitoring and provides a way to perform forensic analysis in the event of a data breach.
Compliance
In order to assure customers and prospects regarding the security of their data SaaS companies may be required to submit to outside audits which follow popular compliance regimes such as NIST, SOC2 or ISO27001/2.
Conclusion
There are many strong reasons why businesses should take advantage of cloud computing to improve operational efficiency and reduce costs. However, security concerns often hold businesses back from putting their valuable data in the cloud. These concerns mostly stem from the lack of clear visibility and control. It is the SaaS providers’ responsibility to present a strong position wherein they communicate the controls they have implemented to protect their customers’ data.
Managing cybersecurity in today’s world is difficult. Many business leadership teams, don’t have the in-house expertise but understand that outside resources could enhance their security model.
While most mid-sized firms have some technical personnel or contractors that handle most of the technical needs of security, they don’t have someone who is looking at the big picture of cybersecurity for the organization.
If they have designated a Security Officer, it is often the CIO or CTO or another executive that has a full plate of other responsibilities. This executive might not have the bandwidth to cover their enterprise’s cybersecurity program nor the full breadth of security expertise. This gap leads to unnecessary risk.
A Chief Information Security Officer (CISO) is a senior-level team member. The CISO establishes and maintains an enterprise’s security vision, strategy, and programs. The role ensures information assets and technologies are appropriately protected.
Generally speaking, a CISO needs to:
Most large organizations have a full-time CISO to handle their cybersecurity needs but mid-range and smaller companies are now seeing the need, as well. Many of these organizations cannot afford a qualified, full-time CISO.
Companies of all sizes are getting aggressive about getting a CISO on board for a number of reasons. One is the range of new cybersecurity regulations that companies have to deal with. Past industry standards like PCI and HIPAA are now joined by many new privacy and security rules that change how a company is responsible for safeguarding data.
Another reason to focus on security are the growing threats that face companies (especially smaller ones) related to financial and identity theft. Employees must be educated. Systems must be hardened and monitored. And tests must be performed on a regular basis.
Organizations that prioritize information and financial security should get serious about hiring a CISO. Getting started using a virtual, out-sourced model as an excellent way to get a program started with lower financial risk.
Good data governance and compliance dictates that organizations must be fully accountable as trusted custodians of the information of their customers and employees. In our global, digital economy that means that we must implement the right technologies, people and governance to protect that data. This encompasses both protecting data from unauthorized use or disclosure and ensuring that even the authorized use of that data does not infringe on the privacy rights of the individuals whose data is being stored.
The goal of Data Security is to protect the confidentiality, availability, and integrity of data. In other words, it encompasses the practices and processes that are in place to ensure data isn’t being used or accessed by unauthorized parties. Data security ensures that the data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed.
Data Privacy, on the other hand, is defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used only according to the agreed purposes.
Another way to look at it is that Data Security is primarily a technical issue while Data Privacy is primarily a legal issue
This is illustrated by the popular compliance regimes. Common Data Security compliance standards include: PCI, SOC2, ISO27001, NIST Cybersecurity Framework. These are all voluntary structures enforced by industries and/or customers and spell out specific controls (e.g. encryption, anti-malware defense, etc.) required to meet an agreed to but arbitrary standard which have become accepted as “best practices”. Compliance with these standards help partners (typically vendors and customers) evaluate the security posture of the organization they are or intend to do business with
On the other hand, regulations such as Massachusetts Data Privacy Regulation, the California Consumer Privacy Act, HIPAA, GDPR, etc. are based on statutes and laws meant to protect the rights of individuals. While there has been much discussion about the right to privacy and its legal origins, modern laws aim to protect individuals’ financial information, medical characteristics and whereabouts from marketers who may use that information to inappropriately target them; from organizations who may use that information to discriminate against them; and, simply to help maintain people’s autonomy, dignity and control over their personal profiles
Finally, the consequences of a failure of data security and a failure of data privacy are different. In the former, the risks are mainly business risks: Financial theft, loss of intellectual property and loss of reputation. And while failure of an organization to meet its data privacy obligations would certainly have a significant financial and reputational impact, these violations come with the added penalty of possible criminal charges and jail time. There are already cases of individuals serving time for violations of HIPAA regulations.
50 Franklin St.
3rd Floor
Boston, MA 02110