How do you communicate the security of a service like Questionmark OnDemand? I find the concept of a castle useful in explaining security. Back in medieval days, people stored safe things – their “crown jewels” – inside a castle to protect them. And today, websites that store confidential information need to set up a “castle in the cloud” to protect data.
Let’s look at a castle’s defences: hard defences such as walls moats — and soft defences such as the guards who man the watch towers and entry points:
How do a castle’s hard and soft defences translate into defences for software-as-a-service in the Cloud?
A castle has a moat and layers of walls. Questionmark OnDemand has firewalls, and it is tiered so data moves from presentation tier to business tier to data tier to protect the data.
And a castle has watch towers. Questionmark OnDemand has intrusion detection: automatic systems that keep watch for inappropriate traffic.
A castle also has limited entry points. Questionmark OnDemand has limited entry points, too, and it only lets certain types of Internet traffic come in, for example all browser traffic has to use a sufficient level of HTTPS.
A castle is only strong if it has alert guards to protect it. In the medieval world, you needed trained guards on duty 24/7 in case of intruders. You also needed to carefully check identity and authorization in case someone came in to steal the crown jewels by deceit.
Similarly, in a service like Questionmark OnDemand, we have authentication and authorization systems. We also have people behind the scenes who are trained to detect security risks. For instance, everyone at Questionmark is trained on data security and has to take and pass a data security test each year.
I hope the castle analogy amuses and informs. But of course, the real point is that your assessment data is well protected in our castle.