Red Flags from Your CSP
As Cloud adoption rapidly grows so do the number of Cloud Service Providers (CSPs). It is important, especially when dealing with sensitive or protected data, to properly evaluate your CSPs. It can be a challenge to assess their security posture without deep investigation. It can be harder still to understand a CSP’s security attitude. Does the CSP share your organization's goals, priorities, and objectives? Do they take the protection of your user’s data as seriously as you would? Below we’ll discuss some ways to get a sense of the security stance of your Cloud Service Providers.
Whether it's an Infrastructure, Platform or Software as a Service solution there is always a line between what your organization and the CSP will control. The successful model for security in the cloud is one of shared responsibility. Your CSP’s model should be simple and easy to identify, most will have an overview on their website, as CloudMine has done here. The demarcations should be clearly defined and any questions about those responsibilities should be answered quickly. These roles are important to understand early in the process because some solutions, especially IaaS, place a lot of responsibility on the customer.
Dedicated Security Resources
One way to tell if security is a priority with your CSP is if they have dedicated security personnel. A strong security program takes resources and in any company resources need to be prioritized.
If security is not a focus, if it's bundled under another group, or if it’s a 2nd or 3rd hat someone wears, it will always take a back seat to other concerns. Hallmarks of a security focused CSP include: the access to time with a security team/expert; the ability to review your CSP’s security program and policies; Identifying a clear security role on the leadership team.
BAA is a MINIMUM, Not a Maximum, Control
For healthcare organizations, when handling PHI a CSP needs to offer a Business Associate Agreement (BAA). It is an essential part of the HIPAA regulations, protects your organization and implores the Business Associate to maintain adequate security controls. Some CSPs will tout this willingness to sign a BAA as proof they are HIPAA compliant, however while a BAA is required it may not be proof that the CSP is providing adequate protection. The BAA is a minimum requirement but it should not be all the CSP offers as assurance of their security controls. Signing one can make the CSP responsible for losses of PHI but while that is a risk they may be willing to take, is it a risk your organization is prepared to shoulder?
Be Wary of Passthrough Certifications
In every industry there are 3rd party certifications to demonstrate the effectiveness of an organization. These accreditations, attestations and certifications have become incredibly important in the world of Cloud Service Providers as they can give independent opinions on the claims of these companies. Through a lack of understanding or even deceptive intent, CSPs will sometimes represent themselves through the certifications of their partners. It is important that a CSP’s partners are also meeting security standards and so these certifications are not bad, they are necessary for a CSP to evaluate its own providers. Its when a CSP tries to “passthrough” a certification, claiming that because their partner holds it they also meet that criteria. These 3rd party assessments have very specific scopes and parameters and a passthrough certification does not offer the same level of assurance of a CSPs security posture.
Clear Evidence of Best Practices
Many organizations will claim they follow industry best practices but can your CSP demonstrate that they do? There is no one standard to follow but there are plenty of ways to verify that the CSP you are entrusting with your sensitive data is taking that responsibility seriously. 3rd party certifications, as we discussed above, are great indicators. Your organization should decide which assessments best represents your goals, values and needs and look for it in your CSP selection. Outside of 3rd party assessments look for ways your CSPs manifests best practices like incident response, access control, capacity management, system monitoring and data protection. Ask for policies and procedures, review reports, talk with process owners. A CSPs comfort with sharing and discussing these items can highlight a culture where security is a priority.
No single item in this list is an automatic “dealbreaker”, and there will certainly be cases where the position makes sense for a CSP but if they are missing or can’t explain their approach for a few of these, this could be an indication that security is not paramount to their organization.
Do you have questions about this post? Would you like to discuss this topic further with our team? We love to talk about security and compliance! Reach out and request a conversation with our security team.