Keeping up with data-security technology demands constant attention and constant funding. Vendors like Star are in the best position to meet such unrelenting demands
Data makes the world go round. The way it's traded, sold, and trafficked, it's practically a new currency. And like any currency, at some point someone will try to steal it. This is not breaking news. Data thefts occur regularly, even at companies that—one would think—have the resources to entirely prevent them. But just because a company is big, and has expertise at providing a particular service, doesn't mean it has expertise in every area: like locking down its data.
Companies whose existence depends on their ability to keep client data safe, however, must be laser focused on such matters. Companies like compliance software vendors. Companies like StarCompliance. As a general guide, here's a look at how Star approaches data safekeeping.
LET'S GET PHYSICAL
Building a data center is like building a house. You don't build on anything but the best foundation. For Star that means utilizing the latest technologies in a secure physical environment. Fencing. 24x7 armed security guards. CCTV surveillance. X-ray machines. Biometric checks. False entrances and vehicle blockades. Locked server cages and cabinets. Climate control and fire-suppression systems—because data can be compromised for reasons other than theft.
Whether it’s replacing a single component, or building a brand new hosting environment—such as Star's new EU data center—Star evaluates its hosting infrastructure on a regular basis. Star only uses trusted technologies, backed by support and maintenance agreements that address the criticality of the supported service and ensure issues can be addressed with the applicable expertise. Tier-3 data centers add redundancy—components can be replaced without interrupting data-center operations—and mean the data center will operate at 99.98% availability. The use of failovers means if a there is a power cut, generators will automatically kick in.
And don't forget data-center compliance. Star’s hosting environments are all located in data centers independently audited to the SOC2 Type II standard. SOC2 Type II defines specific control criteria for managing client data, and details and tests the operational effectiveness of those system controls over a period of time. Star's new EU data center is currently SOC2 Type II and ISO 27001 compliant; and if the primary hosting environment ever were to go down, the data center employs replication technologies, which significantly reduce downtime and vastly improve incident response times. Star's US data-center operations will be similarly equipped by early 2020.
LAYERS, LEVELS, FIREWALLS, AND AUDITS
Technical controls come next. A "defense-in-depth" approach means security systems are working at multiple levels in the Star hosting environment: layers and levels with firewalls in between. Within these layers and levels, security systems are working to protect the data from the ever-changing cybersecurity threat landscape. These systems constantly monitor and protect against network and host attacks, both internal and external. These same systems are also tested on a recurring basis in the form of vulnerability tests, to ensure all defenses are operating as intended. And this all ties back to SOC2 Type II: that is, you have a control in place and you test it to ensure it’s operating effectively.
Star is regularly audited by independent, accredited organizations for its ISO 27001 and SOC2 Type II compliance initiatives. This is in addition to audits by Star clients, who perform their own audits in the course of doing their due diligence on Star. In fact, Star was audited by three of the big four accounting firms in 2019 alone. And if there's ever anything an audit surfaces, Star incorporates that information back into its own controls. For administrative security, Star employs a single-tenancy model, which means every Star client gets a dedicated application and client data is never commingled. And end users access the STAR Platform using Single Sign On, to keep compliance simple and secure. Finally, all data is encrypted in-transit and at rest.
Under the hood of STAR, there are sophisticated auditing features, granular user-permissions, and data-visibility walls, since data privacy has become such an integral part of data security. And when it comes to data retention, archiving, and destruction—or DRAD—multiple data-retention policies can be created for different groups of users. These data-retention policies are executed automatically by the STAR system on a pre-defined schedule.
CONSTANT ATTENTION, CONSTANT FUNDING
Good compliance software vendors also understand the benefits of simple things, like staff security awareness and privacy training, regulatory data-protection training, secure-code training, and an overall company culture of security-mindedness, which Star possesses in spades. And keep in mind that security frameworks are continually evolving. Or rather, they should be. If you're going to build an in-house platform, and try and keep up with it, you have to be prepared to spend the required resources in terms of time, money, and manpower to do it right.
Take SOC2 Type II compliance. Star spent eight months getting ready for implementation. Why the long wait? There's the gap assessment. There are audits. There's internal testing of the controls. In short, there's a lot of due diligence involved in something as complex as SOC2 Type II compliance. And because SOC2 Type II has become the industry standard for SaaS companies of all kinds, there's no getting around it. And that's just one example. Keeping up with data-safekeeping technology demands constant attention and constant funding. Vendors like StarCompliance are in the best position to meet such unrelenting demands. Quite simply, their success as a business depends on it.