Data security and the cloud: Earn trust by putting your customers in control

It's not your data; it's the customer's data

Data is one of the most valuable assets a modern business holds. When a company decides to move to the cloud, data security and privacy become a natural and top concern for management.

That concern stems largely from discomfort: Businesses don't like the idea of losing control of their data by giving it to another company to manage. As CTO of a large SaaS company, one question I hear from new clients time and time again is: Can we limit the access your employees have to our sensitive data?

It’s a question I’ve done a lot of thinking about—and one that every cloud company needs to address if it wants business leaders to feel more confident about data security and privacy—and therefore, more comfortable overall about embracing the cloud. Ultimately, when it comes to protecting data—from using the latest firewall and encryption technologies to earning leading industry certifications—the goal is to win the customer's trust.

Limit cloud providers' access to customer data

One way to truly earn full confidence is to give customers more control of their data. After all, it is their data—even if it is hosted and managed by another company. Allowing a customer to limit the access a software provider’s employees have to their sensitive data not only reduces exposure for data leaks, but it instills valuable trust between both companies

This kind of control should include the ability to restrict:

  • When the cloud provider can access data. The customer should be able to determine the times at which it allows the cloud provider to see its data, such as opening a support ticket. The fact is the more time SaaS providers have access to sensitive customer information, the higher the risk exposure.
  • Who on the cloud provider’s team can access the data. Sometimes it is necessary for partners, system admins or support staff to access data. But providers should work with their clients to develop customized approval workflows on top of standard role-based access to specify which external personnel can access customer data.

Of course, companies must understand that if they want to experience the full benefits of working with a SaaS provider, there has to be some give and take around access control. That second “S” in SaaS stands for “Service,” after all. Here are a couple examples of leading SaaS providers that restrict access while providing quality support:

Salesforce Pardot: Salesforce’s cloud-based marketing automation tool captures and manages a wide range of sensitive marketing data. If a user wants to allow a Pardot team member to view or make changes to this data, they must explicitly grant access. There is an icon on the top right of any page in Pardot where a user can grant this permission.

Intuit: The popular tax filing app TurboTax deals with highly sensitive personal and business data. One feature of the app, SmartLook, gives customers the option to initiate a help session with a customer service agent who co-browses with customers on their mobile devices to troubleshoot at the point of need. Notably, these agents cannot view personal data such as Social Security numbers. By hiding this data from agents, TurboTax limits the risk exposure and increases user confidence in its cloud-based services.

Be flexible, let customers decide data access

When building a tool that lets users determine when and to whom they want to grant access, flexibility is key. What we’ve learned is that some enterprises may want to restrict access to just a few of the provider’s employees. Other global enterprises may want to enable access in one country but prevent it in another.

Offering the ability to encrypt sensitive personally identifiable information so that only authorized client users are allowed access adds yet another layer of privacy protection. Building a framework that can address the specificity and granularity of each enterprise goes a long way towards earning the customer’s trust.

There will always be tradeoffs between data security and privacy and the ability for the SaaS company to provide support. By putting customers in control, they have the power to create the right balance between security and support that fits their unique culture.

While there is no magic solution to eliminate all data security and privacy risks associated with the cloud—or any other technology—making sure companies retain control over who can access their sensitive data can go a long way toward helping the cloud industry reduce fears and earn trust. Giving customers more control also benefits cloud services providers by helping them to reduce their own risk landscape. These things are crucial for the cloud computing industry to continue to thrive.

Copyright © 2017 IDG Communications, Inc.