If you want to clear a room just start talking about Information Security, or ‘InfoSec’ to the initiated. Non-technical people want to run for the hills and technical teams envisage protracted discussions of arcane detail when Information Security is on the agenda. Ask the same room to discuss cloud document processing, and the urge to flee reaches new heights.
Nonetheless, a lot of people will remain in the room: the Chief Information Security Officer, the CIO, the Head of Compliance, Head of Procurement, the Heads of Department for New Account Opening, Customer Onboarding, Claims, and other teams who deal with information that must be treated as confidential or sensitive.
All these people take InfoSec seriously. They understand their obligation to keep information secure on behalf of their customers, partners, and employers. They consider Information Security a forefront concern for their business and want to actively manage any risks related to the adoption of new cloud-based technology.
Why Consider Document Processing in the Cloud?
Processing documents in the cloud is rapidly becoming the new norm for businesses. In addition to the widely discussed price, convenience, and cost-reduction benefits of cloud computing, some specific points are worth noting:
- Cloud-hosted document processing solutions, often referred to as Cloud Intelligent Document Processing or Cloud IDP, make greater use of modern machine learning, NLP, and other AI algorithms than on-premises document processing solutions.
- Cloud IDP solutions are based on AI models that learn from every customer, so your business takes advantage of the multiplier effect. That translates into faster processing, greater accuracy, and higher straight through processing (STP) rates.
- Cloud vendors need to meet very stringent InfoSec needs for some customers, and they make these available for any customer who chooses to require them.
- Technical advances are frequently provided in Cloud IDP solutions for no additional effort or cost, whereas internal on-premises solutions tend to remain on the same (outdated) version for longer, missing out on new capabilities, improvements in processing, and security enhancements.
Given the evident advantages of cloud document processing, how can a business overcome its concerns about information security in the cloud? The rest of this blog focuses specifically on how to address these InfoSec concerns with confidence and speed.
Is Cloud Document Processing Safe?
Most organizations want to take advantage of the many benefits of cloud computing but hesitate on account of safety concerns driven by:
- Fears about the security of cloud computing, and
- Concerns about loss of control over information stored in cloud environments.
The adoption of cloud services can slow down or even grind to a halt, as these Information Security fears and concerns are addressed. Meanwhile, competitors exploit cloud computing to improve customer service, to increase innovation, and to execute business faster and more efficiently.
Simply put, in all but a very small minority of cases, processing documents in the cloud is completely safe and all required Information Security policies and regulations can be fully complied with. Often, processing documents in the cloud is actually safer than methods being used in current day-to-day operation.
However, this safety needs to be established before adopting cloud technology, and that can seem a daunting task to organizations making the transition to cloud-based solutions.
Fortunately, it’s now easy to quickly establish clear confidence in cloud security, make well balanced risk decisions and avoid falling behind competitors. What’s needed is simply a means of engaging thoroughly, quickly, and expertly to understand your organization’s InfoSec requirements and how they can be met in a cloud computing context.
Why Do Information Security Assessments Take So Long?
When acquiring new cloud-based solutions, many organizations spend weeks (sometimes months) conducting InfoSec reviews and assessments. What takes so long?
Our experience shows that the most common causes of issue and delay are:
- The significant effort and time spent by InfoSec teams to create and complete large and highly detailed security questionnaires. These are often more complex than the accompanying request for proposal (RFP) which outlines essential business requirements.
- The high level of debate about how to meet InfoSec compliance requirements. A cloud-based solution can often meet an InfoSec requirement multiple different ways. If not actively managed, debates surrounding these different options can consume too much time.
- The difficulty of striking the right balance between InfoSec risk and business value. Without a valid business context, the right level of stringency to impose in InfoSec requirements can be difficult to decide.
- The technical language used to discuss InfoSec causes business decision-makers to unwisely excuse themselves from InfoSec debate, leaving risk evaluation to others. This can add significant time and unnecessary pressure to projects.
InfoSec reviews are simply risk assessments. They require clarity and discipline, but don’t need to take weeks or months to complete.
A good, well-structured, and managed InfoSec engagement from business and technical teams will ensure that the right questions are asked, satisfactory answers received, and an appropriate solution procured. The result will be a more efficient process of InfoSec decision making and a better outcome.
We have conducted multiple InfoSec assessments as part of Cloud IDP implementation, can advise on best practices, and would be happy to speak to you about your InfoSec review.
Common Cloud Intelligent Document Processing (IDP) Concerns
When the use of cloud computing to process documents is proposed, the most common InfoSec issues that arise are:
- Unpredictable content due to unstructured data,
- Residency of sensitive data,
- Security of cloud-resident data,
- Secure transport of documents,
- Managed retention of documents.
Lithe addresses these issues frequently for our customers and the risks raised are typically much lower than initially perceived. To understand why, let’s consider each in turn:
1. Unpredictable content due to unstructured data
Some InfoSec teams fear unstructured data. That is data trapped in documents, images, videos, voice, and text streams. Unstructured data can include unpredictable information and that can be a concern for InfoSec teams.
For example, when a customer writes a letter to a business, the business has no control over the content of that letter. By contrast, the content of a standardized application form is easily predictable prior to completion of the form – the form is structured to deliberately gather only the required information.
Understandably, InfoSec teams prefer structured data because they know upfront the nature of the data being gathered and processed.
Should structured data be the only suitable content for Cloud processing? We strongly believe not. Cloud IDP is at least as secure as on-premises, non-cloud technology, indeed often more so.
Cloud IDP offers several ways to de-risk the management of all types of data. For example:
- Cloud provides the largest range of algorithms for intelligent document processing (IDP). It extracts data with accuracy and efficiency from both structured and unstructured documents. This minimizes human intervention, releases employees from taxing business processes and reduces human-related risk.
- Rules can be configured in most leading IDP solutions to seek high risk data, such as credit card numbers, and redact this information before sharing the results with people or downstream systems. When humans are asked to mine data for the same purpose, they are less effective, and their participation introduces an unnecessary risk of loss or fraud.
- Cloud IDP can identify data items that are not in scope for processing and apply pre-defined rejection processes automatically so that no unrequired data “leaks” into the business. This enables a business to comply to GDPR and other data protection regulations by ensuring that only required information is processed from “unstructured” documents.
- Cloud IDP makes greater use of modern and continually improving machine learning, NLP, and other AI algorithms than on-premises document processing solutions. The result is a more effective guard against importing InfoSec risk through poor data collection procedures and technologies.
2. Residency of sensitive data
Where will the documents and data reside?
Residency is a valid concern because business needs or compliance requirements sometimes mandate that data be held in specific geographies, for example in the US or in an EU country. Cloud IDP providers cater for this by providing data residency options that allow customers to choose countries, cities, or regions in which to locate their data within Private or Public clouds.
For example, a US bank can choose to have its cloud provider store all documents and data in a cloud whose servers are physically within the US. While some jurisdictions have specific residency rules which rule out Cloud, most businesses rely on cloud providers to fully meet their data residency needs.
3. Security of cloud-resident data
Is cloud-based data less secure than data held in-house?
Most Cloud IDP providers base their service on the technology of global hosting giants, such as Azure (Microsoft) and AWS (Amazon), known as IaaS (Infrastructure as a Service) providers. These vendors make the InfoSec team’s job much easier because their security infrastructure is built to support even the most stringent InfoSec requirements.
The reality is that Cloud IDP providers, whose services leverage the infrastructure of IaaS giants, offer security capabilities which are more than adequate for most organizations, with better disaster recovery, active security patch management, monitoring, and security detection systems than in-house IT teams could afford. Even Government departments, famously stringent in their InfoSec requirements, use Cloud offerings underpinned by the IaaS giants.
An InfoSec team can expect quickly to understand how an IaaS or Cloud IDP provider enforces best practice in encryption, key management, detection systems, firewalls, etc. Compliance to standards achievement such as ISO, SOC II and PCI are all excellent indicators of a Cloud Provider’s security credentials and give confidence to buyers.
An InfoSec team can expect to be provided with results of a recent external security audit, known as a “penetration test”, which provides independent confirmation of the infrastructure’s security.
Not every business or every use case requires the same depth of InfoSec provision, so the leading IaaS vendors also provide graduated levels of service and security, allowing each business to adopt a security level sufficient to its need, at a price point that makes sense.
It’s tempting to insist on “Fort Knox” levels of security. However, the trillions of dollars’ worth of gold stored at that famous location require a level of security not needed and not affordable in most businesses. So, be sensible about the level of InfoSec you ask for.
Business people should remain engaged to ensure the requirements specified by their InfoSec team are commensurate with the security and servicing needs of the documents being processed. It’s essential to strike the right balance between real-world business security requirements and the extremes of available InfoSec capabilities. The result will be faster onboarding and better risk management.
4. Secure transport of documents
The concern of a document falling into the wrong hands is sometimes presented as the reason Cloud IDP cannot be adopted.
As documents move into and through an organization via a cloud infrastructure, it’s important to ensure that this transport is done securely.
Many organizations have made the decision to embrace documents in the Cloud already. They often use document management solutions such as Microsoft Exchange and SharePoint within the Office 365 suite, to facilitate transport and sharing of documents.
While I am a supporter and user of this type of technology, I advise against it as a component of secure Cloud IDP infrastructure, where sensitive business and personal information is being processed and InfoSec is a priority. A poorly managed email account, an uncontrolled distribution list, a simple human error in inputting an email address – there are too many InfoSec loopholes. I have written in another blog about the risks of using insecure transport mechanisms, such as email.
Lithe ensure the secure transport of documents. We prevent multiple copies of documents being stored, copied, renamed, and distributed, and will track, control, and make transparent the journey of the document into and through the organization.
Lithe provides software purpose-built to ensure secure flow and processing as part of any Cloud IDP infrastructure.
5. Managed retention of documents
Document retention policies ensure that information is held only for as long as necessary or allowed. Compliance to GDPR and similar data protection regulations makes the automation of these retention policies a must-have of a Cloud IDP solution.
Retention is built into all leading IDP solutions. Expect to adopt a solution that can clearly provide full transparency of all processing states, automated and human, and that includes a clear statement of how and when the document was disposed of at the end of its lifecycle. Being able to evidence this ensures compliance to policy and regulation, and of course can bring significant calm!
Proving InfoSec compliance is often unfairly seen as a daunting challenge, when in fact it is simply a necessary risk management task that can be quickly and confidently completed.
For customers considering the adoption of a Cloud IDP solution, we advise focusing your InfoSec review on five risk mitigation questions that will keep information safe, drive an efficient InfoSec compliance review and make your InfoSec review a success:
- Is the solution hosted by a global IaaS provider such as Azure and AWS?
- Can you choose a region for your Cloud IDP which matches your residency rules?
- What controls do you need to implement that safeguard against unpredictable data?
- Has your Cloud IDP provider achieved audit standards relevant to your business and can they share externally certified security results?
- Do you have transparency on the full lifecycle of your documents during processing, including the entire document journey into and through your organization, in accordance with your document retention policies?
At Lithe, we have developed our flagship product to act alongside leading Cloud IDP providers, streamlining the secure flow and processing of documents. We can help you implement a complete Cloud IDP solution appropriate to your needs, including your InfoSec requirements.
To learn more about your Cloud options, read our white paper on public and private Cloud choices, Azure, AWS, and Lithe Digital Documents.
Or simply ask a question now via our chat team!