9 Questions to Ask Before You Implement Cloud ECM
With the use of Cloud Electronic Content Management (ECM) expanding among all industries, it’s a sure bet that if you’re not looking at Cloud ECM now, you will be soon. This trend reflects an overall comfortability with cloudbased applications and services, as well as a nearly universal recognition of the cost-savings that Cloud ECM applications can bring to organizations.
Questions You Should Ask
But, before you get too comfortable, we’d like to share ten security and reliability questions that you should ask any vendor that you consider for providing your Cloud ECM service:
1. Is the software you use in your platform specifically designed as a Cloud solution?
This question is important because you don’t want to work with a vendor that “short-cuts” the solution by using standard off-the-shelf software designed for a single company. When providing cloud technology for many companies and customers, using this type of software is second-best – it limits security, functionality, scalability, data segregation and redundancy. It’s best to choose a Cloud ECM vendor that has the proper architecture to support the services it provides.
“Hosted” or “ASP” solutions have been around for a long time, and may still be offered as a kind of “poor-man’s cloud.” In these instances, companies outsource the support and development of their application to an outside vendor. Most hosted and ASP models are single-tenant. This means that each user accesses their own instance of the application. Vendors who use this type of software architecture have much more to manage, because they support, develop and fix bugs for each instance of the application. It’s not cost effective to build a highly redundant environment for each tenant; therefore, these solutions often limit scalability and redundancy. If you’ve had a Cloud ECM solution in place for five years or more, you should check to see if it uses single tenant architecture. If it does, it’s time to upgrade to protect your data!
True cloud models are different: they are multi-tenant. A single instance of the software serves many customers (multiple tenants). With this architecture, customers share the system with other customers. The software is designed to segregate all data and functions to maintain security and to allow each tenant to customize their own application instance.
For the vendor, there is less to manage, because one instance of the software is maintained for the benefit of all. Customers enjoy extreme scalability and redundancy with multi-tenant architecture. Additionally, vendors that manufacture their own software can provide superior service, because a single vendor built the system, owns the system and can address issues effectively. When buying a Cloud ECM service, make sure the vendor manufactures their own software and uses multi-tenant architecture.
2. What security features does the software provide?
With Cloud ECM systems, the application itself should include security tools and features that enable administrators to put security policies and procedures in place. The more security the software offers, the better. Here are some basics to look for and some additional features that boost security.
- User Passwords – Administrators should be able to set password complexity and length requirements. Passwords should be encrypted with a one-way hash (a special type of encryption). Only the hash value (the special encryption code) -- not the password itself – should be stored.
- Account Lockout – Administrators should be able to schedule account lockouts after a specific number of invalid sign-in attempts with a specific amount of time.
- Session Timeout – User sessions should automatically timeout after a period of no activity. d. Sensitive Data Encryption – Any secure data (i.e., encryption keys) should be stored encrypted.
Preferred Security Features
These features significantly increase security.
- Customer Information Protection – The application should never store customer data or pass data in cookies (text exchanged between servers and web browsers). This should include session IDs (unique identifiers) to ensure that access is gained only from authorized locations.
- IP Address Limiting – Access to information should be limited to specific IP addresses (unique identifiers) to ensure that access is gained only from authorized locations.
Function-Level Verification – Exchanging information without verifying security access rights opens the possibility for an information breach. If security is evaluated and verified only for the first exchange, an attacker could write a program that could access your information. Therefore, every single application function call (information request or command) should be verified before access is granted. Finish Reading White Paper