How do you know if an online service is secure?
I can only answer this question for about 2-3 online services I use. The rest is just based on hopeful assumptions, and I’m not happy about that. Are you? Finding out that information can be a very lengthy process and often you won’t find any good data from the companies in question. This needs to be much easier so that everyone of all ages and backgrounds can decide if they want to entrust their data to a company or not. I firmly believe that we need an internationally recognized symbol that can easily show us if a company is trustworthy or not.
As another year ends and with my recent relocation to the USA, I was finding myself in the position to acquire yet another online service to help me manage important parts of my life.
Working for Microsoft in Switzerland and now in Seattle, I’ve found myself often with the question if the cloud is a secure place for data (if you want to know, watch this video). Having these discussions made me very sensitive to finding out what security practices and standards the companies follow that I use in my life. The challenge I found is that nearly no other company has the same transparency as Microsoft.
Most companies state on their website that they’re highly secure because they use complex encryption algorithms but no data as to what they think is a complex encryption or proof point that they do it. In the case of Microsoft, you can easily determine which services have which security certifications and as a customer you can even download the un-redacted reports from the independent audit companies.
My favorite information is when the online service in question refers to the security certifications the cloud provider they use have. This shows me that the company itself doesn’t understand much of the topic at all. For example, if your developers all have full admin access to customer data and use simple passwords, then you pretty much violate all the security certifications the underlying cloud platform has. The EU has made a step in the right direction with GDPR and I’m proud to see that Microsoft offers this to all customers regardless if they’re located in the EU or not. But when I went through the process just now, I realized it needs to be much easier and that the blog I’ve written before is timelier than ever. So, if you have a chance read it, and let me know what you think. I’m seriously considering finding like minded people to get this started.