Cloudtweaks Logo
Daren
February 9, 2016

Tech Providers Should Welcome End Users’ Scrutiny on Security Practices

By Daren Glenister

Cloud Providers Scrutiny On Security Practices

Few cloud users receive an open invitation from their cloud service provider to come audit them. But with new data privacy laws cropping up around the globe that place the end-user of cloud services directly on the hook for any abuse or mishandling of sensitive data, cloud providers need to be prepared for a higher level of scrutiny by their customers and prospects.

Cloud providers should anticipate and welcome this line of questioning. After all, why wouldn’t any company expect your customers to conduct an assessment of your practices before making an investment? A growing percentage of enterprises trust the cloud with their most critical and sensitive documents. It stands to reason that when evaluating or renewing services, they want an understanding of the technology and security practices behind the solution where they will store their most valued intellectual property. As companies move more of their data and operations into the cloud, it’s important for them to consider their vendors as an extension of their own organization.

In the perimeter-free business where people work from literally anywhere at any time, risk and compliance challenges no longer stop at traditional organizational boundaries. If a third-party vendor experiences a failure or breach, it’s the customer who must handle damage control. For example, just last month, a Verizon data center outage brought down JetBlue’s electronic systems, causing more than 200 flight delays and shutting down the airline’s website, along with its online booking and check-in systems. While the outage only lasted a matter of hours, JetBlue had to deal with angry and inconvenienced customers.

For businesses that work in highly regulated industries, understanding the security practices of third-party vendors is a requirement. Government regulations such as the Federal Trade Commission consumer protection act or the Gramm-Leach-Bliley act, as well as international standards such as the EU General Data Protection Regulation (GDPR), mandate that a company’s risk management policies cover vendors.

Cloud providers: put out the “Welcome” mat

In the past, it was typical for businesses serving these industries to perform one on-site audit of their vendors at the beginning of an engagement, and usually that was only for their most critical provider partners. Others relied instead on a written self-assessment questionnaire from their vendor, conducted online or by mail, to uncover gaps in the security policies and practices. The “by mail” questionnaire serves to prove that due diligence was performed.

However, in a world where nearly every industry now has some kind of governance or regulatory requirement, a single on-site audit or a mailed self-assessment may not be enough anymore.

To build up customer confidence and trust, and to put users at ease about compliance with a growing number of data privacy regulations, cloud providers should encourage users to conduct assessments and on-site visits periodically. Invite them to peek behind the curtain and see where their data is stored. Show them the company-wide security policies and how they are enforced. If a customer has a chief privacy officer, make it a priority to communicate with that person and work together on any compliance concerns.

Cloud users: Assessment steps

For cloud end-users who want a better understanding of a cloud provider’s security approach, or are in the process of evaluating potential cloud vendor partners, here are some steps you can take to get started.

Cloud providers: be prepared to respond to these requests as well.

  • Set the record straight. Your cloud vendor should be able to provide you with documentation of all security audit information. This should include SOC II reports, certifications, and redacted copies of third-party assessments.
  • Experience matters. Find out what type of data your vendor is used to securing. If you are thinking of storing intellectual property or personally identifiable information in the cloud, working with a vendor with a track record of safely storing that classification of data is crucial.
  • Put it in writing. Ask for contractual capability to perform an audit on your vendor – it is your choice whether to perform the audit, but failure to allow this contractually should raise a red flag. Ask how many customers have audited their platform in the past 12 months.
  • Trust, but verify. Ask for a detailed explanation of where your data is physically stored, where it is processed, and who has access to the data. Additionally, your vendor should provide a list of all physical locations where your data has previously been stored. The geography of your data can pose a significant risk to your continuous compliance posture.
  • Ask for a contingency plan. Find out what processes your vendor has in place in the event of a breach or data loss. The key is to fully understand the process before an event happens, not at the time of an incident.

For most end users, it’s impossible to validate every vendor while trying to maintain their own core operations. But as more cloud customers begin to comprehend their increased responsibility for the security of sensitive data, even when in the hands of a trusted partner, expect them to ask more penetrating questions. As a cloud provider, are you ready to give them the answers they need?

By Daren Glenister

Daren Glenister
Daren is the Field Chief Technology Officer for Intralinks. Daren serves as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements.

Glenister brings more than 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software, having worked with many Fortune 1000 companies to turn business challenges into real-world solutions.
Website

5 Reasons You Need DAST to Secure Your Cloud

5 Reasons You Need DAST to Secure Your Cloud What Is DAST? Dynamic Application Security [...]
Read more

Leading Data Virtualization Solutions: 10 Services Transforming Data Management

10 Services Transforming Data Management Data virtualization is a technology that allows for the integration [...]
Read more
Algirdas Stasiūnaitis

The Future of Cybersecurity: Insights from Cyber Upgrade’s Founders

AI and Cybersecurity: Innovations and Challenges In the rapidly evolving landscape of technology, where artificial [...]
Read more
Stacey Farrar

Embracing Governance to Navigate 2024’s Tech Trends

Mastering Governance Strategies for Success The start of a new year is a fitting time [...]
Read more
Gary Bernstein

Unleash the Power of Your Website with These 25 VPS Providers

Simplify Your Website Management with VPS Hosting Updated 10.17.2023 VPS stands for Virtual Private Server, [...]
Read more
Craig Lowell

Scaling Smart: Planning Strategically for Cloud Expansion

Scaling Strategically As cloud spending continues to surge, managing and forecasting costs has become a [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
TOPICS
AI BIG DATA CLOUD DEVOPS INFOSEC
SERVICES
SPONSORED POSTS BRANDED COMICS THOUGHT LEADERSHIP WEBINARS
Company
ABOUT BLOG MEDIA KIT CONTACT
© 2024 CloudTweaks. All rights reserved.