ra2 studio - Fotolia
What are the best criteria to use to evaluate cloud service providers?
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and third-party assessments.
Many cloud providers are cautious about how much detail they share about their internal security controls. They have concerns that their customers, competition and attackers may use that information against them. This may limit enterprise customers, allowing them to review only cloud security certifications, third-party assessments or self-assessments to evaluate cloud service provider data security qualifications.
What security-relevant information an individual cloud service decides to share is dependent on many factors. Some mature cloud services have extensive information security programs. Less mature services may still be developing their security program. Some may have an SSAE 16 (Statement on Standards for Attestation Engagements 16) -- since replaced by SSAE 18 -- or ISO 27018 report that was performed by a third party to audit the security controls in use.
These types of audits can give an enterprise a basis for comparison against its internal controls. It can also reveal whether or not a cloud provider has implemented the necessary security controls. SSAE 16 SOC 2 (System and Organization Controls 2) is an audit report on the security, confidentiality, privacy, availability and processing integrity controls in use.
To evaluate cloud service providers, an enterprise will need to understand the scope of the audit to ensure the services it would like to use were examined in the audit. Because these audits typically happen once per year, new features or services may not be included in the scope of an audit. The third-party aspect of this may be critical to some enterprises so that they can have a higher level of assurance that the security controls were implemented.
An enterprise may request that additional controls be implemented to meet its security requirements as part of the contracting process. But, given the shared nature of cloud services, it may be difficult to get a cloud service provider to implement a new security control for just one customer.
Other cloud services may have assessments or certifications using industry standards, like the Cloud Security Alliance Consensus Assessments Initiative Questionnaire, or ones based on industry-specific assessments, like FedRAMP (Federal Risk and Authorization Management Program) for federal agencies or HECVAT (Higher Education Cloud Vendor Assessment Tool) in higher education. Many sectors have decided to use their own assessments or certifications to help facilitate information sharing and vendor comparisons in their industry.
The most mature cloud service providers may have multiple certifications, assessments and detailed security documentation to share with potential customers. The least mature -- think small startups that are just developing a new product -- may have minimal documentation. In this case, an enterprise customer may need to do a more detailed assessment.
Upon receiving security documentation, an enterprise will need to review the documentation to contextualize the security aspects and ensure secure implementation of the service.
Regardless of the specific certification, standard, audit or report used to evaluate the cloud service provider, enterprises will need to continually monitor the cloud service over time and ensure the proper security language is in the contract for the service.