Businesses are increasingly dependent upon partnerships with cloud computing and external IT service providers to provide agile, scalable solutions at a reasonable cost. Just like building systems in-house, success cannot be guaranteed unless there is confidence the service will be predictable and reliable. Many of the data security risks experienced when working with third party suppliers are similar to those encountered internally. Data stored in the cloud can be subject to hacking, accidental loss, as well as theft from internal staff. Employing encryption alone cannot protect a business from this. We can ensure risk is mitigated and profits are protected with due diligence and by ensuring cyber security, IT, business staff and cloud suppliers are working together as partners.
As high-profile data breaches are raising public awareness about data security risks, many IT service providers are seizing the opportunity to differentiate their products and services through security certifications and audits. Popular accreditations include ISO 27001, PCI-DSS and the SSAE 16 SOC- 2 audit types.
The maturity of a suppliers security practices can be determined by their accreditation; however, it does not ensure adequate security is in place. Review of audit results is needed to ensure the scope of the accreditation is accurate for the solution being purchased and that it meets business defined data confidentiality, availability and integrity requirements. Many supplier audits and contracts pass security accountabilities back to the customer. These require verification to ensure gaps are addressed. For example, a supplier may make state-of-the-art tools available for secure access, yet the customer is responsible to maintain processes for how they are used. This means the business must develop their own internal processes to support data movement to the cloud safely. Accreditation does raise confidence of the cloud services provider; yet, businesses concomitantly need to identify and ensure their internal processes and procedures for managing security risks are identified and implemented.
Large suppliers of IT services can often achieve a level of security a business cannot. This is due in part to the economies of scale they gain by servicing multiple customers and maintaining skilled IT staff as part of their core business. Suppliers that utilize security best practices as a normal part of their delivery, tend to be the best choice. A mature supplier is transparent about their security accreditation and commitment. An example of this can be seen at Google – where accreditations and auditor’s attestations are made visible on their Internet site.
A smaller non-accredited business or start-up (or one that is still working towards accreditation) does not necessarily imply poor security. The challenge for the business will be determining how to quickly extract business value while taking necessary steps to ensure reliable secure services. A cyber security professional, incorporating best practices such as those from the Cloud Security Alliance, can help with assessing and identifying priorities to address risks.
In the end, an incident can damage the reputation of all involved. Partnering with the supplier, maintaining open lines of communication, monitoring progress and establishing achievable goals benefits all involved. The key to moving data to the cloud safely is ensuring IT, business, cloud provider and cyber security personnel work as partners towards mutually agreeable solutions.