Cloud security for SaaS translation providers

We don’t have to go far to find someone affected by, and justly concerned with, the ongoing news blitz surrounding Edward Snowden’s security leaks. From those of us worried about our stored customer account information on consumer websites to multibillion dollar enterprise organizations worried about exposed sensitive data, the notion of cloud-based data security is on a lot of minds lately. At the same time, the lure of cloud computing — stemming from ease of management and scalability — has resulted in more than 90% of all organizations at least discussing cloud use in 2013, up from 75% one year prior, according to a survey by Symantec.

Of course, in the language services industry we’re handling extremely sensitive and confidential client data every day. We are responsible for countless gigabytes of it in various forms: translation memory (TM) files, terminology bases and mountains of source content including proprietary information. This places the language services vendor that offers cloud-based software as a service (SaaS) front and center in the discussion around cloud security.

One of the most important areas we address with clients is how secure our data storage and systems infrastructure are, both cloud-based and physical storage. Enterprise organizations expect the same level of sophistication that their own operations run on. At the same time, we have to acknowledge today’s increasingly common attitude of circumspection around cloud-hosted data.

Even though cloud security seems to have made its way into the common consciousness, companies that are seeking translation management system technologies don’t always think to address the issue when comparing vendors. For that reason, it’s valuable to point out the steps that the more tech-forward language service providers are taking to ensure reliable cloud-based translation technology.


Security concerns can lead to lost clients

Whether or not a company can trust a vendor to protect its sensitive data from prying eyes can make or break a business relationship. We recently had a situation in which an enterprise-level organization came to us, reeling from a previous vendor’s lack of system security. The company learned belatedly that the language service provider (LSP) had been storing clients’ TMs on a public file transfer protocol site. This led to all of the LSP’s clients having access to one another’s TMs. As just about anyone would agree, sharing intellectual property doesn’t exactly lend itself to gaining a competitive edge.

Naturally, our early talks with this company included how to make sure that this kind of unintentional data sharing never happens again. This frustrating and alarming experience led to the decision to pack up and move on. Not all translation service providers with cloud-accessible software follow the same standards, but many do abide by common best practices. From a client perspective, it’s critical to find out as much as possible about a potential vendor’s security system. After all, no one wants to be in the position of realizing too late that his or her data has been compromised.

Thus, it’s always a good idea to ask as many questions as possible when evaluating a vendor’s translation technology, especially regarding how it’s hosted. Many people are turned off initially by the term “cloud-based.” Because the phrase appears in countless news articles and gets tossed around with abandon, the actual meaning and distinctions within it can sometimes become lost or hazy. Some might assume files are just floating out in the internet ether, unprotected and exposed. This isn’t necessarily true, and vendors are taking some security measures to guard against the data sharing liability I mentioned before.

A translation vendor with cloud-based software doesn’t do itself any favors by not offering industry standard 128-bit encryption for data transfers between itself and the client. However, it’s pretty rare for companies not to take this commonplace precaution. It’s a way to prevent unauthorized interception of data during the file transfer process. While this may seem like common knowledge, and even a given that a translation company has this in place, not every translation buyer knows to ask about it.

Saying a system is accessible from just about anywhere sounds very appealing. But the initial feeling of intrigue can turn into wariness if a potential client views that from the perspective of vulnerability (“does that mean anyone can tap into it from anywhere in the world?”). This is where controls and credentials come into play.

Accessibility isn’t worth very much on its own without the ability to control who accesses what. Role-based accounts provide for greater security because it serves as a gateway for everyone who might touch the translation process, from linguists to project managers. Each system user is set up with a profile that lays out what he or she can see within a translation management system, for instance.

In the coming months, we will likely see heightened sophistication with how much these role-based accounts can be fine-tuned. Some providers of cloud-based workflow technologies are working on getting more detailed with who can access what information once logged in to the system — such as translation project requestors in a given department only having access to certain types of projects.

One change we may see in particular is authenticator integration with other systems. In effect, it allows a user of another system to log in to a translation management system using his or her credentials for, say, the user’s organization’s intranet authenticator. The main benefit of this kind of login compatibility is that users don’t have to remember another password, in addition to the sheer convenience of it.

While not every translation buyer may request it, another important way for a vendor to demonstrate data security is by offering up its cloud-based system for hacking. It’s considered a best practice for companies in our industry to put this on the table. Either the translation buyer or a third party can attempt to physically hack the system, the results of which can quickly determine whether it’s up to the organization’s standards. One of our clients asked to do this when they were first getting familiar with our solution and found that our security infrastructure even exceeded their own.

It’s also a wise practice for a SaaS vendor to have a third party perform penetration testing. We do this every year as a matter of course. The external company tries to figuratively scale the walls of our tools and break into our internal systems from the outside. During the process, they check for any vulnerabilities that require attention. For a potential client, it can be valuable to have access to these reports, which spell out how exactly the third party company conducted the tests and how it arrived at its results.

Frequent data backups also lend an extra measure of security — and reassurance — for any companies that might be leery about cloud computing. While this is also standard across service providers, some clients may not be aware of the frequency of data backups and plans in place in the event that any security breaches or power losses occur. Daily information backups, both onsite and offsite, in addition to having another cloud-based server to push data onto, help ensure that client information won’t be subject to loss or theft. These are things we often educate buyers about if they have reservations about how the data is stored and protected online and offline.


Bringing cloud security down to earth

Does it take a veritable fortress of impermeability to ensure that client data won’t be compromised? Absolutely not. While cloud accessibility may seem inherently risky, we in the language services industry do have capabilities to lock down data, however it’s accessed and stored. I believe we will begin seeing even more sophisticated measures to strengthen the virtual gatekeeper for cloud-based systems, especially as investment in IT and software engineering increases.