If your company relies upon third-party cloud providers to support or deliver core services, or to protect sensitive data, it’s crucial to understand that cloud security is a shared responsibility. As one global company puts it, providers are responsible for security “of” the cloud and customers are responsible for security “in” the cloud. With that in mind, here are three questions companies should consider before outsourcing.
1. Is the provider’s security suited for our purpose?
Companies should determine their data and security requirements and then review the cloud provider’s website for a compliance page. In addition to touting ISO or SOC certifications, many cloud services describe their voluntary compliance with standards that directly apply to their customers, even when those standards do not otherwise apply to the provider itself (HIPAA, PCI-DSS and Europe’s GDPR are typical examples).
2. Does the provider’s advertised security cover the services our company will use?
A provider might highlight having adopted stringent security controls, but fail to express whether they exist for each offering and across all data centers. The question then remains whether your procurement team signed up for the best-in-class treatment (if desired) and, if so, whether the provider is bound to maintain that level of security throughout the life of the contract.
3. Is our company able to assess and address its shared responsibilities?
Unfortunately, many customers confuse their cloud provider’s compliance with their own. Just because your cloud provider is certified does not mean that your use of that service meets the same standard. By way of analogy, consider a hotel with a guard in the lobby, room safes and free Wi-Fi. You decide whom to let into your room, whether to lock your room and secure your valuables, and whether to use a VPN over their wireless network.
In cloud environments, remote providers are responsible for all aspects of physical security and, when offering Platform as a Service (PaaS) or Software as a Service (SaaS), they also are exclusively responsible for implementing proper network controls and maintaining the host infrastructure. On the other hand, in the absence of a fully managed security service, examples of customer responsibilities include data classification, client-side encryption, data loss prevention and, at a minimum, client-side endpoint detection. Meanwhile, providers and customers alike have Identity and Access Management responsibilities (to include account provisioning and implementing role-based access, multi-factor authentication and logging). Although SaaS models ensure the provider takes care of the applications, the same is not true of PaaS solutions where users and providers alike often shape application deployment and their accompanying controls. Finally, customers accept far greater responsibilities when procuring Infrastructure as a Service.
In sum, although moving to the cloud can significantly reduce a company’s security and workforce burdens and exposures, a fundamental principle for managing cloud vendor risk is to understand the differences between (1) when a provider is looking after itself, (2) when a provider is looking after you and (3) when you’re on your own.