HomeGuidesInfrastructure Security › APS-07
APS-07 Infrastructure Security 12% of OML score

Are cloud-based applications (email, CRM, accounting tools) configured securely?

This question asks whether you have set up your cloud services (like Gmail, Zoho CRM, Tally Online, QuickBooks) with strong security settings to prevent unauthorized people from accessing your business data. It means checking that passwords are strong, access is limited to only people who need it, and data isn't accidentally exposed to the public internet.

Why This Matters to Your Business

A misconfigured cloud app can leak your customer lists, invoices, bank details, or employee information to anyone on the internet—often without you knowing. A manufacturing firm in Pune lost ₹12 lakhs when a shared Google Sheet with supplier payment details was accidentally made 'public' and attackers added fraudulent payment instructions. Your GST records, customer PAN details, or salary information accidentally exposed can also trigger penalties from tax authorities or loss of customer trust, directly costing revenue and reputation.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You use cloud apps (Gmail, online accounting tools) with default passwords or shared login credentials that multiple people use. You've never checked who has access to what, and sensitive files are sometimes shared via public links.

Level 1
Initial

You have unique passwords for cloud apps and store them in a document or notebook. You occasionally check who has access, but there's no formal process, and you haven't disabled public sharing on sensitive folders.

Level 2
Developing

You use a password manager, enforce unique passwords, and have a basic list of who should have access to which apps. You've turned off public sharing in most cloud apps, but backup and disaster recovery settings haven't been reviewed.

Level 3
Defined

You have documented cloud app access rules and do quarterly reviews of who has access. Multi-factor authentication (MFA) is enabled on critical apps like email and accounting software, and sharing settings are regularly audited.

Level 4
Managed

You have a formal cloud security policy covering all applications, automatic alerts when suspicious logins occur, and role-based access (e.g., accountant sees financials, salesperson sees CRM only). Backups are tested quarterly and security logs are reviewed monthly.

Level 5
Optimised

You have a centralized identity and access system (like Microsoft Entra or Okta), automated enforcement of security policies across all cloud apps, regular penetration testing of cloud configurations, and a documented incident response plan specific to cloud data breaches.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Change all cloud app passwords to unique, strong passwords (12+ characters, mix of letters, numbers, symbols). Document them securely in a password manager like Bitwarden (free) or 1Password. Create a simple list of who uses which app. Business owner or IT person 1-2 days
1 → 2 Audit sharing settings in Google Drive, Dropbox, OneDrive, and your CRM—disable 'Anyone with the link' sharing and switch to 'Specific people' only. Document the access rules in a spreadsheet (who accesses what app and why). Turn off public sharing on all sensitive folders. IT person or nominated staff member 3-5 days
2 → 3 Enable Multi-Factor Authentication (MFA) on email, accounting software, and CRM using authenticator apps (Google Authenticator, Authy—free) or SMS codes. Document the MFA rollout and create a backup codes register. Schedule quarterly access reviews as a calendar reminder. IT person with support from business owner 1-2 weeks
3 → 4 Create a written Cloud Security Policy covering password standards, access approval process, MFA requirements, data classification (public/confidential), and backup frequency. Set up automated alerts in cloud apps for unusual login activity. Implement activity logging reviews monthly. IT person or external consultant, approved by business owner 2-4 weeks
4 → 5 Implement centralized identity management (federated login) if using multiple apps, conduct annual third-party security assessments of cloud configurations, establish a formal incident response playbook for cloud data breaches, and automate compliance reporting. IT manager or managed service provider (MSP) Ongoing quarterly reviews and annual assessments
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Password policy document or password manager export showing all cloud app credentials are unique and strong
  • Access control list (spreadsheet or document) showing which user has access to which cloud app and the business reason
  • Cloud app audit report or screenshots showing MFA is enabled, public sharing is disabled, and access reviews are dated
  • Backup and disaster recovery test report or log showing cloud data has been restored successfully at least once
  • Cloud security incident log or security settings audit checklist signed off by management in the last 12 months
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me your access control list for cloud applications and confirm when it was last reviewed?"
  • "Is Multi-Factor Authentication (MFA) enabled on all critical cloud apps, particularly email and accounting software? Show me the settings."
  • "How do you prevent accidental public sharing of sensitive data in Google Drive, Dropbox, or OneDrive? Show me the sharing settings."
  • "If a cloud account was hacked tomorrow, how would you know? Do you monitor login activity and have alerts set up?"
  • "Do you have a tested backup of your cloud data (especially accounting records and customer information) and proof it can be restored?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Secure password storage and management for all cloud app logins Bitwarden, KeePass (self-hosted) 1Password (₹5,000–8,000/year per user), Dashlane (₹4,000–6,000/year per user)
Enable Multi-Factor Authentication (MFA) without relying on SMS alone Google Authenticator, Authy, Microsoft Authenticator (all free) Cisco Duo (₹300–500/user/year for MSME tier)
Monitor cloud app login activity and detect suspicious access Built-in security alerts in Google Workspace, Microsoft 365, Zoho (included in subscriptions) Varonis (₹5,00,000+/year—large enterprises only), Microsoft Defender for Cloud Apps (₹3,000–5,000/user/year)
Cloud security configuration audit and compliance scanning Google Cloud Security Command Center (GCP customers), AWS Security Hub (AWS customers) CloudSploit, Prowler (open-source with paid managed versions ₹1,00,000+/year)
Backup and disaster recovery for cloud data Built-in versioning in Google Drive, OneDrive; Backblaze B2 (₹200–400/month for unlimited storage) Veeam (₹50,000–2,00,000/year depending on scale), Acronis (₹15,000–50,000/year for MSME)
🛡
How This Makes You More Resilient
When cloud applications are configured securely, accidental data leaks are prevented, reducing the risk of customer data being stolen or regulatory fines under the DPDP Act. Your business can recover faster from cyber incidents because you'll detect unauthorized access quickly and have backups, meaning less downtime and less financial loss. Employee and customer trust increases because you can honestly say their data is protected, which is increasingly important for winning large contracts.
⚠️
Common Pitfalls in India
  • Sharing cloud app login credentials (Gmail, QuickBooks, Zoho) among multiple people instead of creating individual accounts—makes it impossible to audit who did what and creates security risks when employees leave
  • Leaving default sharing settings enabled so files are accidentally made 'viewable by anyone with the link' or 'public'—common with Google Sheets containing customer lists, invoice details, or bank information
  • Not enabling MFA because staff say 'it's inconvenient'—one compromised password (especially email) gives attackers access to everything; MFA takes 5 seconds after setup and is non-negotiable for financial or CRM apps
  • Relying only on vendor-provided security without understanding your responsibility—cloud vendors secure the infrastructure, but you must secure your account settings, access, and configurations
  • No backup of critical cloud data—assuming cloud providers guarantee data won't be lost or deleted; ransomware can encrypt cloud files, and accidental deletions can't be recovered without backups
  • Not reviewing who has access for months or years—former employees, contractors, or family members may still have login credentials or active access
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (consent and fair processing), Section 10 (purpose limitation), Section 11 (data minimization), Section 35 (accountability and reasonable security measures for personal data)
CERT-In Guidelines 2022 Access Control: implement principle of least privilege, multi-factor authentication; Cloud Security: enforce encryption in transit and at rest, audit logging
ISO 27001:2022 A.5.15 (access control), A.8.2 (user endpoint devices), A.8.3 (identifier management), A.9.2 (user access management), A.9.4 (access rights review)
NIST CSF 2.0 Govern (GV.RO: risk oversight), Protect (PR.AC: access control; PR.AT: awareness and training), Detect (DE.CM: monitoring and detection)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →