According to the IDG Enterprise Cloud Computing Survey (2016), 70 percent of businesses had at least one application operating in the cloud, with another 16 percent planning to follow in the next year. With such a high percentage of businesses using cloud resources, we can likewise expect threat actors to increasingly target business data hosted by cloud vendors. So if your data is stored in the cloud, how do you protect it? Or, in other words, how do you know that your vendor’s cloud security includes the proper controls to protect your data?
What will I put in the cloud?
Before you can answer whether or not a vendor’s cloud security includes sufficient controls for your data, you need to first understand the level of security your data requires. You need to identify the type of information the vendor will be storing for your organization. Are you moving highly sensitive customer data into the cloud? What about personal employee information? The scrutiny that you give to your cloud vendor will depend largely on what they will be storing for your organization; the more sensitive the data, the more thorough your vendor review needs to be in terms of cloud security.
Once you have determined the type of data that you will be storing in the cloud, the next step is to review the vendor’s cloud security controls.
Evaluating a Cloud Vendor
The easiest way to review the security posture of a cloud vendor is to determine if they are compliant with any current security frameworks. Typically, cloud vendors are proud of their security compliance and will advertise it freely. For example, RSM’s Private Cloud infrastructure annually completes the AICPA SOC2 Type II report and openly markets this on our website. Be cautious about a cloud vendor who is hesitant to describe the security controls in place to protect your data.
There are several different security standards available to help you understand the controls that are already established at the cloud vendor without having to review each control yourself. Some common security standards to which a cloud vendor could be compliant are PCI DSS, NIST 800-53, CSA STAR, or the AICPA SOC, to name a few. Typically, a vendor will be happy to provide a copy of their report or compliance letter upon request. However, while these frameworks make it easier to review a vendor’s security posture, it is still the client’s responsibility to perform the review. Preferably, this review would occur prior to engagement of the vendor and annually thereafter. Keep in mind that certain reports will show compliance or non-compliance to all of the controls in the security standard (e.g. PCI DSS), while other reports will detail how well an organization performed against identified controls during an audit period (e.g. AICPA SOC). Think pass or fail versus a letter grade. Due to this variation, it is important that you understand the report you are reviewing and can identify management action plans to address any exceptions.
When performing a risk assessment for a cloud vendor, consider using a template such as the Consensus Assessments Initiative Questionnaire (CAIQ) provided by the Cloud Security Alliance. This free questionnaire is exhaustive and will help guide the discussion with a cloud vendor by providing pertinent questions you can ask about their security controls. As we discussed earlier, the depth to which you perform this review will depend on the type of data you are storing with the cloud vendor.
Finally, after you have performed a sufficient review and selected a cloud vendor, it is important to document responsibilities. Certain cloud vendors will provide a clear delineation of responsibilities within the contract, but others do not. It is up to the client to ensure that responsibilities are understood and agreed upon. For example, what are the notification requirements for the vendor if they discover a security incident that might affect your data? Who do you notify if you suspect a breach?
Navigating cloud security controls and responsibilities can be tricky, unless you take the time to think it through and document it. If current trends related to cloud usage are indicative of future trends, businesses will continue to move into the cloud, which could mean more attacks against cloud hosting providers. It is vital that your organization determine the level of security that your data requires and which cloud providers can provide it.