As the move to SaaS accelerates, so do data security concerns and risks. IBM’s latest Cost of a Data Breach Report found that 82% of breaches involved data stored in the cloud. Just because your data is stored in the cloud, it doesn’t mean you can go easy on security. Because companies are responsible for the security of their data regardless of where it resides, it should only be entrusted to cloud providers with state-of-the-art privacy and security measures in place.
And with October being Cybersecurity Awareness Month, what better time to spotlight Own Company’s (formerly OwnBackup) ongoing commitment to security?
At Own, we’re committed to protecting the privacy and security of our customers’ data. Our world-class data platform was built from the ground up utilizing leading information security best practices. Below are some of the principles that guide our approach to security.
Adherence to Industry-Defined Standards
Think back to when you first started driving and got your license, and imagine if you were allowed to grade your driving test based on your own criteria. (I’m guessing most of us would not make the ability to parallel park a requirement for passing the test!).
In this example, self-grading introduces the potential for bias and would lead to unqualified drivers on the road, increasing the risk of accidents. That’s why driving tests are, of course, conducted by trained examiners who follow standardized criteria. These criteria objectively measure a driver's abilities, ensuring that the assessment is fair, consistent and meaningful.
In the same way, having industry standards when it comes to security ensures a common understanding of conditions, terms, and best practices, which can prevent costly security errors and incidents.
Own prides itself on adhering to objective industry-defined standards, not standards that we define ourselves. Our security measures aren't just arbitrary benchmarks, but are grounded in real-world best practices backed by third parties and peer reviews. Having industry-defined standards also helps customers evaluate providers on a level playing field.
As part of our commitment to industry-defined standards, we also provide the most detailed publicly available Security Controls Document of any provider, which can be found here.
Trust Through Transparency
Remember in school, when teachers made you show your work? Frustrating, no doubt. If you arrived at the right answer, what did it matter how you got there?
Well, it turns out that it matters because when you show your work, you’re forced to communicate what you did and how you did it in a way that others understand.
The same concept applies to a complex subject like security. Just like students, security teams must be able to show their work. And it’s more than a best practice. New rules from the Securities and Exchange Commission (SEC) going into effect next year will require extensive, regular disclosures regarding companies’ cybersecurity programs and material cybersecurity incidents. And in Europe, having an Incident Response Process is one of the main elements of the new Digital Operational Resilience Act (DORA). The regulation requires financial institutions to report and classify all material cybersecurity incidents.
Own understands the importance of transparency. In addition to the publicly available Security Controls Document mentioned above, we provide self-service access to our security portal, which contains regularly updated policy documents that address over 1,000 security questions.
This level of transparency allows our customers and those under a Non-Disclosure Agreement (NDA) to understand Own's security policies comprehensively. So you can know precisely which requirements are met, how access to customer data is managed, and the precise conditions under which we make exceptions to default policies for legitimate business purposes. You’re never forced to trust our judgment on making exceptions, the conditions are spelled out for you to see.
Risk Mitigation Through Thoughtful Architecture
Security is not only about standards and transparency but also architecture. Architecture is always a set of trade-offs, and when we make these tradeoffs, we put security first. Two examples of this relate to our storage architecture and customer use of encryption keys.
By default, Own uses Cloud Service Provider (CSP) Object Storage to deliver secure, highly available storage and server-side encryption backed by a FIPS140-2 validated Key Management Service. Own leverages top tier CSPs for its infrastructure needs, currently Amazon Web Services (AWS) and Microsoft Azure.
Beyond the general storage infrastructure level, we also avoid SQL-based architectures for storing backup data. By doing so, we are able to reduce our exposure to malicious attacks that are often explicitly designed to target widely deployed technologies. In addition, this approach also minimizes unnecessary complexity, reducing the likelihood of read errors that could impact the accuracy of restores.
An additional example of optimizing for security in the design of the product has to do with our approach to encryption. Our general approach is outlined in the encryption section of our Security Controls Document. When it comes to encryption keys, we have designed our architecture so that we limit the storing of encryption keys outside of hardened systems. Industry-best practices dictate that these keys be stored only in such systems and any architectures that encourage the manual handling and storage of keys create risk around the auditability and security of these keys.
Trust your SaaS data to Own
By adhering to industry-defined standards, emphasizing transparency, and implementing thoughtful architectural decisions, Own demonstrates a steadfast commitment to securing your data. When choosing a data backup and recovery solution, trust is paramount, and Own’s security principles are designed to provide you with the peace of mind that your data is in safe hands.
Explore the Own Trust page to learn more about how we prioritize our customers’ privacy, security, and more.