Cloud Providers Scrutiny On Security Practices
Few cloud users receive an open invitation from their cloud service provider to come audit them. But with new data privacy laws cropping up around the globe that place the end-user of cloud services directly on the hook for any abuse or mishandling of sensitive data, cloud providers need to be prepared for a higher level of scrutiny by their customers and prospects.
Cloud providers should anticipate and welcome this line of questioning. After all, why wouldn’t any company expect your customers to conduct an assessment of your practices before making an investment? A growing percentage of enterprises trust the cloud with their most critical and sensitive documents. It stands to reason that when evaluating or renewing services, they want an understanding of the technology and security practices behind the solution where they will store their most valued intellectual property. As companies move more of their data and operations into the cloud, it’s important for them to consider their vendors as an extension of their own organization.
In the perimeter-free business where people work from literally anywhere at any time, risk and compliance challenges no longer stop at traditional organizational boundaries. If a third-party vendor experiences a failure or breach, it’s the customer who must handle damage control. For example, just last month, a Verizon data center outage brought down JetBlue’s electronic systems, causing more than 200 flight delays and shutting down the airline’s website, along with its online booking and check-in systems. While the outage only lasted a matter of hours, JetBlue had to deal with angry and inconvenienced customers.
For businesses that work in highly regulated industries, understanding the security practices of third-party vendors is a requirement. Government regulations such as the Federal Trade Commission consumer protection act or the Gramm-Leach-Bliley act, as well as international standards such as the EU General Data Protection Regulation (GDPR), mandate that a company’s risk management policies cover vendors.
Cloud providers: put out the “Welcome” mat
In the past, it was typical for businesses serving these industries to perform one on-site audit of their vendors at the beginning of an engagement, and usually that was only for their most critical provider partners. Others relied instead on a written self-assessment questionnaire from their vendor, conducted online or by mail, to uncover gaps in the security policies and practices. The “by mail” questionnaire serves to prove that due diligence was performed.
However, in a world where nearly every industry now has some kind of governance or regulatory requirement, a single on-site audit or a mailed self-assessment may not be enough anymore.
To build up customer confidence and trust, and to put users at ease about compliance with a growing number of data privacy regulations, cloud providers should encourage users to conduct assessments and on-site visits periodically. Invite them to peek behind the curtain and see where their data is stored. Show them the company-wide security policies and how they are enforced. If a customer has a chief privacy officer, make it a priority to communicate with that person and work together on any compliance concerns.
Cloud users: Assessment steps
For cloud end-users who want a better understanding of a cloud provider’s security approach, or are in the process of evaluating potential cloud vendor partners, here are some steps you can take to get started.
Cloud providers: be prepared to respond to these requests as well.
- Set the record straight. Your cloud vendor should be able to provide you with documentation of all security audit information. This should include SOC II reports, certifications, and redacted copies of third-party assessments.
- Experience matters. Find out what type of data your vendor is used to securing. If you are thinking of storing intellectual property or personally identifiable information in the cloud, working with a vendor with a track record of safely storing that classification of data is crucial.
- Put it in writing. Ask for contractual capability to perform an audit on your vendor – it is your choice whether to perform the audit, but failure to allow this contractually should raise a red flag. Ask how many customers have audited their platform in the past 12 months.
- Trust, but verify. Ask for a detailed explanation of where your data is physically stored, where it is processed, and who has access to the data. Additionally, your vendor should provide a list of all physical locations where your data has previously been stored. The geography of your data can pose a significant risk to your continuous compliance posture.
- Ask for a contingency plan. Find out what processes your vendor has in place in the event of a breach or data loss. The key is to fully understand the process before an event happens, not at the time of an incident.
For most end users, it’s impossible to validate every vendor while trying to maintain their own core operations. But as more cloud customers begin to comprehend their increased responsibility for the security of sensitive data, even when in the hands of a trusted partner, expect them to ask more penetrating questions. As a cloud provider, are you ready to give them the answers they need?
By Daren Glenister