When trying to find what is actually helpful for my business I would prefer a cloud application. It would have to be fast, simple to use and easy to understand. Starting from tasks to be assigned to team members ending with documents to be uploaded and archived I would focus on a supplier who guarantees a cloud service. But I would ensure that the cloud service has following minimum technical requirements:
- Hardening of the system.
- Patch management.
- 2-factor authentication.
- End-to-end encryption at least AES256 (standard). Important is that the encryption is terminated at the physical system where the data is being processed and no intermediate system (like a proxy) decrypts the data. Only then we can speak of end-to-end encryption.
- Hard drive encryption storage location. Never forget, theoretically, one can simply steal the hard drive as not every provider has a high-security environment available. In short: Data on the hard disk have to be encrypted.
- Monitoring and logging in accordance with legal requirements. In addition, it is there to determine that you have been hacked and, if so, how you were hacked.
- High password complexity. What is high regarding password complexity? We think 8 characters are sufficient, but only if in connection with 2-factor authentication.
- Role-based access. This is a basic requirement in a corporate environment, but not necessary for a single user.
- Least Privilege Principle. Usually an issue in a larger corporate environments. Example: the functionality of assigning tasks to another user: the prerequisite is that real users can search for other real users. They need a special right to be able to do this, which would actually speak against the least privilege principle. But nevertheless. Least Privilege Principle is a must. Elif Levin