As a provider of cloud-based solutions in the document outsourcing industry, Novitex recognizes that the success of its business hinges on the cloud. “The cloud is enabling us to work in ways that were never possible before, collaborating more smoothly and accessing data from anywhere, anytime,” says Anthony Dupree, CIO of Novitex. However, while Novitex uses the cloud to bring solutions to clients more quickly and solve problems more seamlessly, the company recognized early on that there is also more at stake: “Working in the cloud raises critical security concerns,” Dupree explains. “When we work with clients’ data, our top priority is that their information is protected at all times.”
Novitex recognized that internally, they needed to get better security with their private cloud for a number of reasons. First and foremost, they knew their clients needed an integrated solution that was secure, since many clients were facing strict regulation requirements. Second, as an outsourcing provider, the company knew that a lapse in security could be costly, disruptive and detrimental to their reputation. “We knew we needed to take a very proactive approach to security, especially when dealing with clients’ data,” Dupree explains.
While the company knew that creating the ideal security solution would take a lot of work, they began the process by conveying their end goal to all involved in the project. Dupree says the team was aware that they needed to deploy a “defense-in-depth” approach that was “based on the military principle that it is more difficult for an enemy to defeat a complex and multilayered defense system than to penetrate a single barrier.” They then dove into a “very collaborative effort,” Dupree says, by polling clients, IT security experts and the IT team at Novitex.
Once the objectives were clearly stated, Dupree says the next challenge involved getting company leadership on board to help facilitate the process. His major takeaway: the importance of a gap assessment. “Understanding where your gaps are is critically important, and then you must report it to the company leadership or board so they buy into your strategy and make the funding available to fix those gaps,” Dupree says. Only once you help leadership understand the risks can you get the funding necessary to alleviate your gaps, Dupree explains.
Dupree said that once they had the support necessary to embark on this journey, they then set out to find a way to collapse all the types of regulations and security requirements that clients need to adhere to. By doing this, they were able to develop a framework to manage all security controls from one view—which made everything much more seamless.
The next challenge involved using very diversified tools, including firewalls, detection systems, tools that look at email phishing, and anti-virus software, to fully protect the infrastructure. Finally, Dupree and his team conducted many evaluations and head-to-head testing to determine with tools were best to implement.
Even though Dupree says his team arrived at a solution that they are currently satisfied with, he explains that the process is far from complete. “You need to maintain your level of cyber security by understanding that it’s a continuous process and that you must be very proactive in knowing your security program,” Dupree explains, adding that this also involves anticipating what your security program might need next.
The IT Innovators series of articles is underwritten by Microsoft, and is editorially independent.