What You Need to Know About Security When Choosing a Cloud Content Management System
The repercussions for enterprises of cybersecurity breaches are significant and go far beyond lost data, including penalties for reparations, payouts for reparations, broken customer confidentiality, and, ultimately, lost customers. Never before in history has there been so much data and so many challenges in protecting it. Every touchpoint in your Digital Experience Platform (DXP), whether hosted on-premises or in the cloud, can be a potential surface attack for bad actors. Here’s what you need to know about security when choosing a cloud Content Management System.
Security is a strategic investment
When it comes to making a purchase decision, an expense is something you pay for that does not yield a long-term return, while an investment creates an asset that will generate a return for several years. Security strategy investments are now a priority, according to a study conducted by Ponemon Institute of 1,406 individuals in the United States, Europe, the Middle East, Africa and Latin America who influence decision-making around security technology investments for their organizations. A key finding is that 53% percent of respondents say their organizations refreshed their security strategy because of the pandemic.
In evaluating any technology provider for your cloud DXP, three keys can inform you about the strength of their security: processes, standards, and objective third-party evaluation.
Systemic security is more than software
Many people think that software vulnerability is the only factor for cybersecurity when, in fact, a greater consideration is how your vendor handles potential vulnerabilities. A cloud DXP provider needs to be able to apply software patches in a timely way, typically less than 24 hours and certainly within 72 hours. They should have a documented Information Security Management System (ISMS) in place for their entire company beyond individual software departments.
With humans being the weakest link in the cybersecurity chain, the vendor should have considered, and remedied, human vulnerability risks. Their process of preventing social engineering hacks should be explicit and documented.
In terms of communication, a vendor should be straightforward and responsive when it comes to communicating potential vulnerabilities and breaches. Transparency is a key value that must be present in your relationship. And the vendor should be willing to contractually commit to their security practices on your behalf.
Compliance with industry-accepted security standards
In any industry, from construction to finance, having a set of accredited standards for acceptable behaviors ensures solid performance and positive results for consumers. The same holds true for cloud DXP security.
Your cloud DXP provider should have standards in place that have been evaluated by an independent and accredited third-party company. This includes global compliance, such as ISO 27001 or SOC 2, as a minimum qualifier. This accreditation means a company has been externally audited and assessed on its ability to evaluate and remedy its risks. Once a provider meets this accreditation standard, they must renew it on an annual basis. It requires global effort from the provider, with the benefit being that blind spots are surfaced for resolution and current best practices are followed.
It also accounts for industry or geographical specifics. For example, GDPR compliance is key for Europe and other parts of the world, including countries that use GDPR-like regulations on protecting personal data and information. There is also industry-specific legislation that requires compliance, such as PCI DSS for credit card management and HIPAA for health data.
Proof points matter
Having documentation of objective audit and evaluation for cybersecurity practices is just as important as the processes themselves. Your cloud DXP provider should be able to produce documented audit results and external security evaluation sheets. You can ask for the external audit documentation, penetration tests, and result scans as well as the external audit schedule.
You also want to understand a provider’s processes, such as how software is tested, released, and what kind of reports they can produce for you. It is important to know what kind of firewalls and antiviruses they deploy and want they anticipate as threats so you can know what they are defending in their systems.
Something that can get overlooked or uncomfortable to ask for are non-disclosure agreements; however, this is necessary. You want to establish how that your future cloud DXP vendor not only implements security and compliance specifically for your organization but is willing to document their commitment to securing your systems in writing.
Performance plus track record yields confidence
By understanding if these three factors relative to cloud DXP security are in place with a provider—processes, standards, and objective third-party evaluation, you can be assured your provider can deliver comprehensive protection for your cloud DXP.
Jahia Cloud is committed to implementing world-class security measures comprehensively through the entire Digital Experience Platform stack, including proactively monitoring and communicating potential issues. As a leader in data privacy, Jahia implements the most demanding security standards for cloud DXP and can comply with the demanding requirements of enterprise companies. As proof points, Jahia implements ISO 27001, HIPAA and PCI DSS SAQ A since 2019 and was renewed against ISO 27001 in August 2022. Our experts are standing by to have a conversation about your organization’s cloud DXP needs.
Author : Julian Maurel
Julian runs the Cloud operation at Jahia. His expertise spans product management, compliance and security. When Julian is not working, he is either taking care of his daughters, a traveler, a reader, a photographer or a catsitter.