Tech Providers Should Welcome End Users’ Scrutiny on Security Practices

Cloud Providers Scrutiny On Security Practices

Few cloud users receive an open invitation from their cloud service provider to come audit them. But with new data privacy laws cropping up around the globe that place the end-user of cloud services directly on the hook for any abuse or mishandling of sensitive data, cloud providers need to be prepared for a higher level of scrutiny by their customers and prospects.

Cloud providers should anticipate and welcome this line of questioning. After all, why wouldn’t any company expect your customers to conduct an assessment of your practices before making an investment? A growing percentage of enterprises trust the cloud with their most critical and sensitive documents. It stands to reason that when evaluating or renewing services, they want an understanding of the technology and security practices behind the solution where they will store their most valued intellectual property. As companies move more of their data and operations into the cloud, it’s important for them to consider their vendors as an extension of their own organization.

In the perimeter-free business where people work from literally anywhere at any time, risk and compliance challenges no longer stop at traditional organizational boundaries. If a third-party vendor experiences a failure or breach, it’s the customer who must handle damage control. For example, just last month, a Verizon data center outage brought down JetBlue’s electronic systems, causing more than 200 flight delays and shutting down the airline’s website, along with its online booking and check-in systems. While the outage only lasted a matter of hours, JetBlue had to deal with angry and inconvenienced customers.

For businesses that work in highly regulated industries, understanding the security practices of third-party vendors is a requirement. Government regulations such as the Federal Trade Commission consumer protection act or the Gramm-Leach-Bliley act, as well as international standards such as the EU General Data Protection Regulation (GDPR), mandate that a company’s risk management policies cover vendors.

Cloud providers: put out the “Welcome” mat

In the past, it was typical for businesses serving these industries to perform one on-site audit of their vendors at the beginning of an engagement, and usually that was only for their most critical provider partners. Others relied instead on a written self-assessment questionnaire from their vendor, conducted online or by mail, to uncover gaps in the security policies and practices. The “by mail” questionnaire serves to prove that due diligence was performed.

However, in a world where nearly every industry now has some kind of governance or regulatory requirement, a single on-site audit or a mailed self-assessment may not be enough anymore.

To build up customer confidence and trust, and to put users at ease about compliance with a growing number of data privacy regulations, cloud providers should encourage users to conduct assessments and on-site visits periodically. Invite them to peek behind the curtain and see where their data is stored. Show them the company-wide security policies and how they are enforced. If a customer has a chief privacy officer, make it a priority to communicate with that person and work together on any compliance concerns.

Cloud users: Assessment steps

For cloud end-users who want a better understanding of a cloud provider’s security approach, or are in the process of evaluating potential cloud vendor partners, here are some steps you can take to get started.

Cloud providers: be prepared to respond to these requests as well.

  • Set the record straight. Your cloud vendor should be able to provide you with documentation of all security audit information. This should include SOC II reports, certifications, and redacted copies of third-party assessments.
  • Experience matters. Find out what type of data your vendor is used to securing. If you are thinking of storing intellectual property or personally identifiable information in the cloud, working with a vendor with a track record of safely storing that classification of data is crucial.
  • Put it in writing. Ask for contractual capability to perform an audit on your vendor – it is your choice whether to perform the audit, but failure to allow this contractually should raise a red flag. Ask how many customers have audited their platform in the past 12 months.
  • Trust, but verify. Ask for a detailed explanation of where your data is physically stored, where it is processed, and who has access to the data. Additionally, your vendor should provide a list of all physical locations where your data has previously been stored. The geography of your data can pose a significant risk to your continuous compliance posture.
  • Ask for a contingency plan. Find out what processes your vendor has in place in the event of a breach or data loss. The key is to fully understand the process before an event happens, not at the time of an incident.

For most end users, it’s impossible to validate every vendor while trying to maintain their own core operations. But as more cloud customers begin to comprehend their increased responsibility for the security of sensitive data, even when in the hands of a trusted partner, expect them to ask more penetrating questions. As a cloud provider, are you ready to give them the answers they need?

By Daren Glenister

Isc2

Episode 2: Coronavirus Phishing Emails and Work-from-Home Meetings

Coronavirus Phishing Emails What to watch out for as scammers exploit pandemic panic, and tips on how to attend meetings while working from home. Working from home this week? There are a few challenges and ...
Ajoy Krishnamoorthy

The Business Benefits of Mobile Expense Reporting

Mobile Expense Reporting Benefits Digital business management applications have been a game changer: transforming the ways businesses oversee day-to-day operations, add value to the bottom line, and compete in competitive markets. Cloud technology coupled with ...
Jen Klostermann

FinTech and Blockchain vs Traditional Banking

FinTech and Blockchain Growth "The Rise of FinTech - New York’s Opportunity for Tech Leadership", a report by Accenture and the Partnership Fund for New York City, reveals that global investment in FinTech endeavors has ...
Security Cloud

The Problem with Cyberhygiene

Cyberhygiene Dangers It is a quirk of human nature that we have a hard time contemplating abstract notions of danger, especially when it is introduced to us by others. In the simplest of examples, imagine ...
Kaylamatthews

What You Need to Know – IoT and Real-Time Operating Systems

Real-Time Operating Systems A real-time operating system, or real-time OS, appears to execute tasks while using a single processing core simultaneously.  However, what's really happening is that the tasks' response time is so fast that ...
Flexiant Tony Lucas

There Are Still Opportunities For Service Providers

Opportunities For Service Providers Service providers (SPs) still have a golden, but short-lived opportunity to commercialize the $266.4 billion cloud services market before AWS and others call it “game over.” By being more agile, able to ...