By taking the right steps, you can calm security fears and move test data to the cloud.
Today's designs are so complex that testing is often the bottleneck in time-to-market schedules. The complexities of testing require collaboration, yet the collaboration is hampered because teams are no longer co-located. Mergers and acquisitions in the electronics industry over the past several years have created these distributed teams. Given the significant impact of a late product launch on business profits, anything that impacts a product's time-to-market needs to be mitigated.
One way to mitigate the challenges of distributed design teams is to push collaboration to the internet "cloud," a technique that's gathering steam across multiple industries. Indeed, Gartner predicts, "by 2020, a corporate 'no-cloud' policy will be as rare as a 'no-Internet' policy is today."
Cloud-based IT services crossed a tipping point, mostly because of:
- The rise of the mobile worker. An estimated 75% of the U.S. workforce will be mobile by 2020, meaning that they spend at least part of the work week away from their desks.
- A Forbes article showed that the cloud offers wide-ranging benefits, such as improved innovation (48%), new product and service development (45%), and boosted sale efforts (38%), not to mention an average increase of 22% in profits.
Capabilities that support distributed teams during verification test, product characterization, and production test need to evolve. Testing in the cloud is one option to get there. Moving to the cloud still, however, feels like uncharted territory for many businesses, particularly when it comes to data security. To help you make decisions, I'll dispel common misunderstandings regarding security, provide a guide for choosing cloud testing vendors, and offer some practical tips for what your organization can do to further protect your data.
Characterizing products can generate large amounts of data that need both secure storage and easy access for the proper people.
Common security fears:
Our data is mission-critical, so we store it on encrypted servers right here in our facility. How can a cloud server be more secure than this?
It turns out that the "insider threat" is a much bigger risk than most businesses recognize. Citing a 2017 Insider Threat Report, it can cost over $100,000, even $1M, to remediate breaches in IT security. Yet less than half of the incidents were caused by a disgruntled insider. An unknowing, well-meaning employee can cause just as much harm. In short, the risks of data theft are no greater in the cloud than they are on-site.
My customer won't allow us to move into the cloud because they think that it's not safe.
We hear this quite often, particularly from vendors that work for the government. Organizations such as the Department of Defense don't explicitly say that you can't go in the cloud. But they require that data used for government purposes be protected following their standards. The U.S. Department of Defense (DoD) has created a certification and accreditation process called FedRAMP, whereby the DoD works proactively with industry to set security standards rather than simply declare a "no-cloud" policy.
What to look for
The most efficient way to test a vendor's security robustness is to check for participation with the most recognized standards:
- ISO 27001: The ISO 27001 certification shows that the cloud provider has a security program in place to monitor, manage, and mitigate risks associated with information security.
- Cloud Security Alliance Security, Trust & Assurance Registry (CSA STAR). STAR certification layers over ISO 27001 (having a certified ISO 27001 system is a prerequisite for obtaining STAR certification). The STAR certification shows a growing maturity of the cloud provider's security system across multiple security domains.
- FedRAMP. Federal Risk and Authorization Management Program (FedRAMP). For organizations that work for the Federal Government, it is important to confirm that their cloud provider has a FedRAMP authority to operate (ATO). The FedRAMP ATO requires everything in ISO 27001, but with an amplified focus on security controls.
In addition to security, you must also consider data availability. Key considerations are uptime promises, data redundancy, and ease of offloading data. A high percentage of cloud vendors deliver their services on cloud-hosting platforms such as Amazon Web Service (AWS) or Microsoft Azure. AWS, Azure, and others offer systems for redundancy, security, and availability. Don't be surprised if a small business promises you world-class performance. It's very likely that they're offering you the benefits of a small, innovative service provider with the backing of the world's best cloud hosts. "The cloud comes to test" makes note of several such small companies that use these cloud services.
Storing test data on USB flash drives is convenient but poses security risks from hackers and from employees walking out with your test data.
Keep your data safe
Some 46% of the security breaches that occurred in the cloud were because internal policies and procedures weren't followed. Even if a cloud testing provider has an impenetrable fortress, your employee policies and procedures need to be in place, too.
The key to success here is balance: balancing the need to secure critical assets while ensuring that employees are able to do their jobs without frustration. Here are some tips:
- Putting all of your data eggs into one, maybe two, iron-clad baskets in the cloud. Make it clear to employees that there is only one "approved" location to store data. In the absence of an easy-to-use official solution, employees tend to revert to ad hoc methods that are best for them but often poor for the business.
- Push security accountability down to the lowest levels possible. Businesses that have a handful of "security compliance officers" often fare poorly in actual security practice because employees tend to view them as someone to be avoided. Businesses that tie security compliance to performance reviews, or even group bonuses, are often able to turn lemons into lemonade.
- Integrate security into strategy. IP is so critical these days that businesses need to treat security as an executive role that encompasses all departments. Businesses that weave security into all aspects of the strategy process are turning security from a defensive reactive function into a proactive growth function.
Wrapping it up
The electronics product industry is a recognized leader in the "digital disruption" happening to industries ranging from hospitality (Airbnb) to automobiles (Tesla). Our own success in accelerating the pace of progress is now coming home to roost and is forcing our industry to evolve and create new ways of enabling distributed teams to collaborate across borders. Testing in the cloud is but one of the many game-changers that are coming. When you do make the shift into the cloud, you can take steps to assure that your data will be safe.
To page 2: Security trends and related articles