Thinking About SaaS Risks – Part 1: Data Security
If last year’s Sony hack reminded everyone that not securing your own data can be embarrassing, the recent Ashley Madison fiasco proved that failing to secure your customers’ data can be a whole lot worse.
The frequent headlines about cyber security breaches and hacking, along with concerns about data snooping by governments around the world, have caused many to inquire just how secure the data inside their CRM solution might be. They are right to ask. With so much customer data at stake, there is a lot to think about with CRM security.
Let’s look at what can go wrong:
Earlier this year, the FCC fined AT&T $25 million for data security and privacy violations that exposed about 280,000 U.S. customers’ names and full or partial Social Security numbers. The breaches occurred when employees at call centers used by AT&T in Mexico, Colombia and the Philippines accessed sensitive customer data without adequate authorization. According to the FCC, the employees took payment from third parties who were looking to use customer names and Social Security numbers to unlock stolen cell phones for sale on secondary markets.
More than 68,000 accounts were accessed without authorization, and more than 290,000 unlock requests were submitted by third parties through an AT&T online portal. The FCC also discovered that roughly 40 company employees in the Philippines and Colombia had accessed about 211,000 customer accounts for the same illicit purposes.
The $25 million fine is just the beginning of trouble. Even more painful and costly are the remediation and communication efforts with affected customers, and lost business that results when breaches are disclosed.
Hosting customer data in someone else’s cloud raises justifiable concerns about security. Customers need to know what levels of security the host is providing and need to address some critical questions:
- What protection mechanisms are in place to prevent someone from hacking into the host?
- Is there 24/7 monitoring to make sure that employees are not accessing data that should be off limits to them?
Deploying SugarCRM via the SaaS model (Sugar On-Demand) means multiple layers of protection and security. The Sugar application is hosted in Tier 1 data center facilities around the world. These data centers are protected by powerful physical security mechanisms such as 24/7 secured access with motion sensors, video surveillance, and security breach alarms. SugarCRM security and infrastructure components include: firewalls, robust encryption and sophisticated user authentication layers.
SugarCRM understands that data is a critical component of the daily business operations of its customers and that it is essential to ensure the privacy and protection of data regardless of where it resides. SugarCRM takes a holistic, layered and systematic approach to safeguarding that data and is constantly evaluating, evolving and improving the privacy and security measures it has in place. SugarCRM also offers customers the option to deploy Sugar on-premise, as well as in hosted and hybrid configurations, flexing to meet the broadest range of security and regulatory requirements.
For more information about our security related policies, please click here.