Few cloud users receive an open invitation from their cloud service provider to come audit them. But with new data privacy laws cropping up around the globe that place the end-user of cloud services directly on the hook for any abuse or mishandling of sensitive data, cloud providers need to be prepared for a higher level of scrutiny by their customers and prospects.
Cloud providers should anticipate and welcome this line of questioning. After all, why wouldn’t any company expect your customers to conduct an assessment of your practices before making an investment? A growing percentage of enterprises trust the cloud with their most critical and sensitive documents. It stands to reason that when evaluating or renewing services, they want an understanding of the technology and security practices behind the solution where they will store their most valued intellectual property. As companies move more of their data and operations into the cloud, it’s important for them to consider their vendors as an extension of their own organization.
In the perimeter-free business where people work from literally anywhere at any time, risk and compliance challenges no longer stop at traditional organizational boundaries. If a third-party vendor experiences a failure or breach, it’s the customer who must handle damage control. For example, just last month, a Verizon data center outage brought down JetBlue’s electronic systems, causing more than 200 flight delays and shutting down the airline’s website, along with its online booking and check-in systems. While the outage only lasted a matter of hours, JetBlue had to deal with angry and inconvenienced customers.
For businesses that work in highly regulated industries, understanding the security practices of third-party vendors is a requirement. Government regulations such as the Federal Trade Commission consumer protection act or the Gramm-Leach-Bliley act, as well as international standards such as the EU General Data Protection Regulation (GDPR), mandate that a company’s risk management policies cover vendors.
In the past, it was typical for businesses serving these industries to perform one on-site audit of their vendors at the beginning of an engagement, and usually that was only for their most critical provider partners. Others relied instead on a written self-assessment questionnaire from their vendor, conducted online or by mail, to uncover gaps in the security policies and practices. The “by mail” questionnaire serves to prove that due diligence was performed.
However, in a world where nearly every industry now has some kind of governance or regulatory requirement, a single on-site audit or a mailed self-assessment may not be enough anymore.
To build up customer confidence and trust, and to put users at ease about compliance with a growing number of data privacy regulations, cloud providers should encourage users to conduct assessments and on-site visits periodically. Invite them to peek behind the curtain and see where their data is stored. Show them the company-wide security policies and how they are enforced. If a customer has a chief privacy officer, make it a priority to communicate with that person and work together on any compliance concerns.
For cloud end-users who want a better understanding of a cloud provider’s security approach, or are in the process of evaluating potential cloud vendor partners, here are some steps you can take to get started.
Cloud providers: be prepared to respond to these requests as well.
For most end users, it’s impossible to validate every vendor while trying to maintain their own core operations. But as more cloud customers begin to comprehend their increased responsibility for the security of sensitive data, even when in the hands of a trusted partner, expect them to ask more penetrating questions. As a cloud provider, are you ready to give them the answers they need?
By Daren Glenister