Risk and compliance challenges no longer stop at traditional organizational boundaries. Government regulations such as the Federal Trade Commission consumer protection act and the Gramm-Leach-Bliley act, as well as international standards such as the EU General Data Protection Regulation (GDPR), mandate that a company’s risk management policies also cover its cloud vendors. Accordingly, when evaluating or renewing cloud services, it’s important to understand the security practices of the service provider that will be storing your critical or sensitive data. For their part, cloud vendors should be prepared for a higher level of scrutiny by their customers and prospects.
Cloud Users: Assessment Steps
As companies move more of their data and operations into the cloud, they should consider their cloud environments as an extension of their own organization. If you want a better understanding of your cloud provider’s security approach, or are in the process of evaluating potential cloud vendor partners, here are some steps you can take to get started.
- Set the record straight. Your cloud vendor should be able to provide you with documentation of all security audit information. This should include SOC II reports, certifications, and redacted copies of third-party assessments. Ensure that assessments are not just self-assessments but include third party reviews also.
- Experience matters. Find out what type of data your vendor is used to securing. If you are thinking of storing intellectual property or personally identifiable information in the cloud, working with a vendor with a track record of safely storing that classification of data is crucial.
- Put it in writing. Ask for contractual capability to perform an audit on your vendor — it is your choice whether to perform the audit, but failure to allow this contractually should raise a red flag. Ask how many customers have audited their platform in the past 12 months.
- Know where your data is. Ask for a detailed explanation of where your data is physically stored, where it is processed, and who has access to it. Additionally, your vendor should provide a list of all physical locations where your data has previously been stored. The geography of your data can pose a significant risk to your continuous compliance posture.
- Ask for a contingency plan. Find out what processes your vendor has in place in the event of a breach or data loss. The key is to fully understand the process before an event happens, not at the time of an incident.
Cloud Providers: Put Out the “Welcome” Mat
In the past, it was typical for businesses to perform one on-site audit of their cloud vendor at the beginning of an engagement, and usually that was only for the most sensitive requirements. Others relied on a written self-assessment questionnaire from their vendor, conducted online or by mail, to uncover gaps in the security policies and practices. The “by mail” questionnaire served to prove that due diligence was performed. However, in a world where nearly every industry now has some kind of governance or regulatory requirement, a single on-site audit or a mailed self-assessment may no longer be enough.
To build customer confidence and trust, and to put them at ease about compliance with a growing number of data privacy regulations, cloud providers should encourage users to conduct assessments and on-site visits periodically. Invite them to peek behind the curtain and see where their data is stored. Show them the company-wide security policies and how they are enforced. If a customer has a chief privacy officer, make it a priority to communicate with that person and work together on any compliance concerns.
Trust but Verify
New data privacy laws cropping up around the globe place customers of cloud services directly on the hook for any abuse or mishandling of sensitive data by their cloud provider. Due diligence means that cloud customers need to understand the security practices of their vendors — not just as a pro forma exercise at the start of the engagement, but on an ongoing basis. Ultimately, you the customer are responsible for verifying your cloud vendors’ security posture.
As more cloud customers begin to comprehend their increased responsibility for the security of sensitive data, cloud providers should expect more penetrating questions from their customers, and be ready to provide the answers they need. If you’re unsure about your cloud provider’s security posture, or if you are a cloud vendor trying to meet the security and privacy needs of your clients, find out how Intralinks can help you make sure you’re in compliance.