If your enterprise cloud software isn’t boasting about security, you should be worried

Over the last 2 months we have been working on bringing our product up to the standard required by the NZISM.

We have found it’s easy to say that you build software with security in mind. It’s another thing entirely to dig into every service and lock them down. From starting our own internal assessments, to bringing in an external vendor to carry out a full Security and Risk Assessment, this process has consumed our team since early November.

Working off a check list provided by our vendor, we proceeded to lock down text fields, encrypt local files, enforce time outs across the site (fun with Angular), and apply password policies to every field where a customer can change their password.

Along the way we found a stack of surprises such as:

  • Windows Communication Foundation (WCF) has to be specifically configured to support TLS 1.2. If not, it runs TLS 1.0 which is easily crackable.
  •  SQL Server 2014 doesn’t work with TLS 1.2 enabled. This is fixed by applying the latest patch, but I would assume that older versions of SQL don’t support TLS 1.2 either.
  • Securing our own system isn’t enough, we also have to require our customers to run .NET 4.5 which supports TLS 1.2. This would also apply to older browsers that don’t support the standard.

Why don’t cloud applications talk more about security?

After going through this process, we noticed that other companies in our sector don’t make a big deal about the security. It’s one thing to say you use HTTPS and payload encryption, but its something entirely different to dig out the hundreds of little things that add up to big problems. And if you had spent two months of runway to meet a government manual on security, why wouldn’t you shout that as loud as you can?

Related Posts

USB transfer

How our Data Delivery Service stacks up

Our clients usually get Eightwire on board to automate an existing manual data transfer process, adopt a more secure approach for exchanging data, or implement a more proactive approach to risk and compliance. Here’s an overview of how our Data Delivery Service stacks up against traditional file transfer methods such as Secure FTP or Secure

Read More »

Where AI, privacy and security collide

EPIC is an ICT innovation partnership between Europe, Singapore, Australia and NZ. Their April 2019 event in Singapore outlined the challenges and solutions that lie ahead, at the intersection of AI, privacy and security. I was invited to present on privacy, security and AI – all of which are at the heart of what we

Read More »
Sign up and one of our team will be in
touch shortly to start the journey.
By clicking submit, you agree to our terms and conditions.