Cloud computing has been making great waves, since it started and it continues to do so for most industries. Companies, therefore, have no option, but to test the waters and see how they can benefit in this new platform. Companies have an option to integrate their old system with the cloud or if they have full confidence in the system they can decide on full migration.
CompTIA recently released a result of a study they did that the primary concern of most companies before they consider the cloud is the security system it offers. However, even with this finding only a small number of the companies actually perform a complete review of security system from their cloud providers.
Research vice president with CompTIA, Tim Herbert said, “Despite some of the concerns, only 29 percent of the companies in the study said they engage in a heavy or comprehensive review of the cloud service providers’ security practices.”
Charles Weaver who is the co-founder and president of MSPAlliance said that failure to make a comprehensive review of cloud security especially for a strong organization that is involved with certification and standards implementation for managed service providers (MSPs) could be a huge mistake.
Weaver said, “Our chief concern right now is that we see a lot of new service provider entities who are coming into the scene with almost lax attitudes toward how they construct and deliver services. They appear to be mostly on the cloud side.”
Moreover, Weaver drafted a three-point criterion for companies that are thinking of acquiring cloud services from providers.
The first one is “trust,” this applies to both the company and the cloud provider; there should be a mutual high level of trust between parties to make an efficient platform.
“They’ve got to trust them. That comes through an affinity. You have to like the company and the principles and the people you’re going to be working with. It’s a very intimate relationship. There’s got to be a mutual respect and trust to work together,” Weaver said.
The second is “technical expertise” from the cloud provider, which is the foundation of the partnership. It is not just knowledge, but an excellent grasp of how the business operates and how the cloud system works.
“They have to have an understanding of what you’re looking to do and match that up with their technical expertise. If you’re a CIO of a bank and you need to outsource some strategic element of your IT, your MSP needs to understand both banks and whatever it is that you’re going to outsource,” he added.
The last one is a “third party compliance audit,” which is very important to strike a balance between the customer and the cloud provider. This does not have to be from the government section, rather a private audit firm that ensures that the provider lives up and delivers its commitments.
“This is a world where you go through more scrutiny and ongoing regulation to cut hair than you do to manage a corporation’s sensitive data and that of your end users,” Weaver said.
Currently, MSPAlliance offers the UCS (Unified Certification Standard) for Cloud and Managed Service Providers. The UCS identified 11 control objectives that cloud providers must comply with before they are awarded a certification. The control objectives include:
Provider planning, organization, governance and risk management – this will confirm that the cloud provider has a formal management structure and a clear organizational chart. It should also include a risk management plan and a third-party analysis for services.
Documented policies, guidelines and procedures – this will set the rules for employee compliance to standards on training, education and annual review of the procedures.
Change management for services – assessment should be done regularly to assure that change controls are done formally and are appropriately documented. It should include configuration protocols and capacity planning principles.
Management of events – through an access to an NOC (Network Operations Center) management and monitoring facility it will be easier to keep track of network issues and problems, which will make resolutions speedy. This is very helpful for both provider and client especially if the identified problems are clearly defined by the SLA (service level agreement).A cloud provider must also ensure an efficient customer support and help desk is in place.
Logical security system – this will ensure established policies and procedures for client information system. There should also be documented policies and procedures concerning employees that are no longer a part of the company. The provider must ensure documented controls are used to secure user authentication process for both on-site and off-site access. Additionally, periodic third party assessments should be utilized including policies on assigning Administrator IDs.
Change management – changes in implementation policies, information systems, requesting, approval, logging, accepting and testing systems must be clearly specified and documented.
Data integrity – providers have the responsibility to make sure that they employ efficient security policies and procedures. These policies and procedures are communicated to provider staff, periodically, after a thorough review; update and approval have been decided.
Environment and physical security system – cloud providers must have clear, documented policies on physical access from IT staff, guests and other applicable facilities. Security controls may include the use of on-site security, card keys, CCTV and other control systems. Proper documentations must also be identified in cases when physical security assessments must be done. Data centers and NOCs must have a policy on environmental safeguards to be used in cases of unexpected disruptive incidences including disaster recovery plans.
SLAs – service level agreements must be in place to assure clients that there are efficient tracking, controlling and monitoring systems.
Reporting and billing reports – SLAs must specify an efficient performance in invoicing, billing and reporting, including verified referencing policies.
Financial strength and stability – providers must be able to show documented reports to prove its financial health and stability at least within the last six months. In case of non-profit providers must present sufficient capital to support its operations.