Last month, we offered tips and tricks you can take to keep your business cloud breach-free.
The lack of a common standard framework for assessing cloud service providers (CSPs), combined with the fact that no two are the same, can sometimes make it difficult to select the appropriate provider for your organization. Let’s take a closer look at the options, tools and documentation involved with choosing a CSP.
Explore your cloud service provider compliance options
Before you’re ready to select a CSP, it’s important to walk through some resources you can use to your benefit when trying to identify a CSP that best suits your business needs.
As a prerequisite, your organization must already have governance and risk management teams, which will define the company policies and set compliance standards from which you can establish procedures. They will also define what is or isn’t acceptable with regard to risk, and what type of compliance your organization needs. These include but are not limited to: Payment Card Industry (PCI), National Institute of Standards Technology (NIST), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Processing Standards (FIPS), and European Network and Information Security Agency (ENISA).
Once those compliance measures are established and you’re ready to start analyzing the different CSP options available, the following tools are available to help you determine which provider is the best fit for your company:
- Cloud Controls Matrix (CCM): The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a tool that allows consumers and providers to think in terms of specific cloud controls being mapped to specific regulations and frameworks (i.e., NIST, HIPAA, FIPS and ENISA). The tool—an Excel spreadsheet with 16 control domains and multiple subcategories within them—provides a common set of expectations between provider and consumer.
- CSA’s Security, Trust, Assurance and Risk (STAR) Registry: The STAR registry provides a three-tiered process to evaluate CSPs.
- CSA STAR Level 1—Self-Assessment: A complimentary offering that documents the security controls provided by various cloud computing offerings, which helps users assess the security of cloud providers they currently use or are considering.
- CSA STAR Level 2—Third-Party Certification: A rigorous third-party, independent assessment of the security of a cloud service provider.
- CSA STAR Level 3—Full Cloud Assurance and Transparency: Provides continuous monitoring and enables cloud providers to employ an automated process of reporting on monitoring on a monthly basis, from self-assessments through third-party attestations and certifications. If your organization operates in a high-risk environment, it is highly recommended to pursue STAR Level 3.
- The Service Organization Control (SOC) 3 Report: SOC 3 is a publicly available summary of the vendor’s SOC 2 report, which outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality, or privacy. The report includes the external auditor’s opinion of the operation of controls, the assertion from the vendor’s management regarding the effectiveness of controls, and an overview of the vendor’s infrastructure and services. It is a valuable resource for customers to validate a vendor has obtained external auditor assurance without going through the process to request a SOC 2 report.
Good news: most of these resources and reports are available on the web. For example, Amazon Web Services (AWS) provides AWS Artifact, an on-demand download of AWS security and compliance documents that includes AWS ISO certifications, as well as Payment Card Industry (PCI) and SOC reports. You can submit these security and compliance documents, also known as audit artifacts, to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services you use.
Evaluate cloud service provider security
It is important to understand what your security goals are, the security measures offered by each provider, and the mechanisms they use to secure your applications and data. In addition, make sure you completely understand the specific areas that each party is responsible for. (See AWS’s Shared Responsibility Model documentation as well as Azure’s and Google’s procedures for security.)
For each vendor you assess, you should also take into consideration what security features are offered as part of their basic free service, which additional paid services are available, and where you might need to supplement with third-party partner technologies.
Luckily, most of the larger CSPs simplify that by listing their security features—free or paid—and partners on the security sections of their websites
Establish a cloud service provider SLA
Once you have determined which CSPs are a best fit, the next step is to establish service level agreements (SLAs) and contracts. Every company that buys CSP services must either accept a standard SLA from the provider or negotiate such an agreement based on the information we’ve discussed so far. It is paramount this step be clearly determined in the beginning, as it is the contract and SLA that will set the tone going forward.
It’s the customer’s responsibility to have due diligence and clarify all security responsibilities, and to use SLAs and contracts to define cloud vendor and cloud customer responsibilities.
No organization should commit any mission-critical systems to any CSP without first negotiating an SLA that meets business needs and includes significant consequences in the event the SLAs are not met.
Let one of the many cloud experts at Sirius help you navigate the CSP-selection journey to ensure you choose a provider and strategy best-tailored to your business needs. Learn more about the extensive cloud solution offerings Sirius has today.