Tech Providers Should Welcome End Users’ Scrutiny on Security Practices

Cloud Providers Scrutiny On Security Practices

Few cloud users receive an open invitation from their cloud service provider to come audit them. But with new data privacy laws cropping up around the globe that place the end-user of cloud services directly on the hook for any abuse or mishandling of sensitive data, cloud providers need to be prepared for a higher level of scrutiny by their customers and prospects.

Cloud providers should anticipate and welcome this line of questioning. After all, why wouldn’t any company expect your customers to conduct an assessment of your practices before making an investment? A growing percentage of enterprises trust the cloud with their most critical and sensitive documents. It stands to reason that when evaluating or renewing services, they want an understanding of the technology and security practices behind the solution where they will store their most valued intellectual property. As companies move more of their data and operations into the cloud, it’s important for them to consider their vendors as an extension of their own organization.

In the perimeter-free business where people work from literally anywhere at any time, risk and compliance challenges no longer stop at traditional organizational boundaries. If a third-party vendor experiences a failure or breach, it’s the customer who must handle damage control. For example, just last month, a Verizon data center outage brought down JetBlue’s electronic systems, causing more than 200 flight delays and shutting down the airline’s website, along with its online booking and check-in systems. While the outage only lasted a matter of hours, JetBlue had to deal with angry and inconvenienced customers.

For businesses that work in highly regulated industries, understanding the security practices of third-party vendors is a requirement. Government regulations such as the Federal Trade Commission consumer protection act or the Gramm-Leach-Bliley act, as well as international standards such as the EU General Data Protection Regulation (GDPR), mandate that a company’s risk management policies cover vendors.

Cloud providers: put out the “Welcome” mat

In the past, it was typical for businesses serving these industries to perform one on-site audit of their vendors at the beginning of an engagement, and usually that was only for their most critical provider partners. Others relied instead on a written self-assessment questionnaire from their vendor, conducted online or by mail, to uncover gaps in the security policies and practices. The “by mail” questionnaire serves to prove that due diligence was performed.

However, in a world where nearly every industry now has some kind of governance or regulatory requirement, a single on-site audit or a mailed self-assessment may not be enough anymore.

To build up customer confidence and trust, and to put users at ease about compliance with a growing number of data privacy regulations, cloud providers should encourage users to conduct assessments and on-site visits periodically. Invite them to peek behind the curtain and see where their data is stored. Show them the company-wide security policies and how they are enforced. If a customer has a chief privacy officer, make it a priority to communicate with that person and work together on any compliance concerns.

Cloud users: Assessment steps

For cloud end-users who want a better understanding of a cloud provider’s security approach, or are in the process of evaluating potential cloud vendor partners, here are some steps you can take to get started.

Cloud providers: be prepared to respond to these requests as well.

  • Set the record straight. Your cloud vendor should be able to provide you with documentation of all security audit information. This should include SOC II reports, certifications, and redacted copies of third-party assessments.
  • Experience matters. Find out what type of data your vendor is used to securing. If you are thinking of storing intellectual property or personally identifiable information in the cloud, working with a vendor with a track record of safely storing that classification of data is crucial.
  • Put it in writing. Ask for contractual capability to perform an audit on your vendor – it is your choice whether to perform the audit, but failure to allow this contractually should raise a red flag. Ask how many customers have audited their platform in the past 12 months.
  • Trust, but verify. Ask for a detailed explanation of where your data is physically stored, where it is processed, and who has access to the data. Additionally, your vendor should provide a list of all physical locations where your data has previously been stored. The geography of your data can pose a significant risk to your continuous compliance posture.
  • Ask for a contingency plan. Find out what processes your vendor has in place in the event of a breach or data loss. The key is to fully understand the process before an event happens, not at the time of an incident.

For most end users, it’s impossible to validate every vendor while trying to maintain their own core operations. But as more cloud customers begin to comprehend their increased responsibility for the security of sensitive data, even when in the hands of a trusted partner, expect them to ask more penetrating questions. As a cloud provider, are you ready to give them the answers they need?

By Daren Glenister

Data Issues DBMS

Advantages of Database Management Systems (DBMS)

What Is A Database Management System (DBMS)? (Updated: 04,22,2020) A Database Management System, or DBMS, allows its users to create, read, delete and update data within a database. The management system works as an interface between ...
Mike Johnson

Data Transmission Travel Plans – From The Ground Up

Don’t Forget Networking The term “cloud” was first used by the telecomm industry in early schematics of the Internet to identify the various, non-specific uses data was put to at the end of their cables ...
Martin Mendelsohn

The Growth of Third Party Risk Management (TPRM) Firms

Cybersecurity and the Continued Risks Back in the day, we played cops and robbers with sticks and plastic squirt guns.  Sometimes you were pursued, at other times you were the pursuer.  There wasn’t much more ...
EV Sales

Growth of Electric Vehicles – Heading In The Right Direction

Growth of Electric Vehicles The global electric vehicle market is projected to reach $802.81 billion by 2027, registering a CAGR of 22.6%.1 The highest revenue contributor was Asia-Pacific, which is estimated to reach $357.81 billion ...
Or Lenchner

Destination IPPN: why the travel sector must harness a global IP proxy network

Destination IPPN While massive growth in the travel sector has been predicted, the digital environment has also massively upped competition amongst service providers, keen to offer travellers the best personalized online booking and buying experience ...
Cloud Image Migration

The Best Web Migration Should Be Invisible to Your Customers

How you approach a migration of your assets to the AWS Cloud is important to getting it right When the British-bank TSB decided to migrate to the Amazon Web Services (AWS) cloud in 2017, they ...