The evolution of the cloud over the last 10+ years has forced organizations to adapt to new cyber security practices, or risk sacrificing their data safety. Customers encounter issues in selecting the right cloud vendor because their organizations fail to ask the right questions, both of the cloud vendor and of themselves.
Unfortunately, too many organizations –emboldened by the misconception that compliance=security – are throwing caution to the wind in hopes of cashing in on the cost-savings benefits of a third party. But, when that too-good-to-be-true cloud vendor is revealed to be just that, organizations are left to deal with the fallout. And, when the fallout affects an organization’s compliant status – well, it can get messy.
That’s why the pragmatic, and, in my opinion, correct approach, is to self-assess before bringing in a third party that may impact compliance attestation. This self-reflection will help you identify issues before they become potentially magnified by the presence of third party – and any areas in which they under-deliver or don’t address in the first place (i.e. shared responsibility).
Cloud Vendor Management Best Practices
Important aspects to address before approaching a cloud vendor include:
- Considering that you won’t be able to fully outsource your compliance responsibilities
- Clearly identifying the compliance requirements you’re subject to
- Determining the controls you’re looking to have a third-party cover: Make a list
- Thoroughly understanding your own security controls environment: Know what your organization already has in place. Refer to external audit reports if they exist as well as your internal security policies and procedures.
- Researching the market to identify those companies who offer services that most closely match your needs
- Creating a question matrix (or use an industry standard one such as the Shared Assessments SIG/SIG Lite or the Cloud Security Alliances CAIQ or CSM) that you can use to evaluate and compare the vendors you select
- Requesting relevant external audit reports (PCI, SOC 2, HITRUST, ISO 27001, etc.) that attest to the security controls each vendor is providing. Review the reports and clearly understand the scope that was audited.
- Asking that each vendor provide documentation on how their solution assists you in meeting your specific compliance requirements. Don’t assume what they will do and don’t just take their marketing materials as fact.
Self-Discovery in the cloud
This evolving relationship requires the ability to understand each party’s role. By establishing a detailed matrix that simply outlines the shared responsibility between cloud vendor and consumer may have an astounding impact on easing some of the pain points of embracing the cloud.