There is a lot of confusion about how to treat Cloud providers from a vendor due diligence, or compliance assessment perspective. I’m not sure why, they are just another service provider. The Cloud, in and of itself, adds nothing.
My thoughts on The Cloud are not a secret; Don’t Get Me Started On ‘The Cloud’, but it needn’t be all negative.
So you have – or you want to – outsource/d some aspect of your business function, usually an ancillary part, unless your business is almost entirely white labeled (like in e-commerce for example), and must therefore ensure that the service provider treats your data and/or systems the same way (or better) than you do.
In theory, the only reason you would not be able to measure your service/cloud provider against a defined standard, is if you don’t have one. You have one, right? That, by itself, precludes your compliance with ANY standard or accepted good practice.
All too often the real issue is that organisations are trying to outsource their problems (PCI compliance for example), and not focusing on their business needs in general. While you can outsource almost every business function you can never outsource responsibility. You can even outsource some of the liability (cyber-insurance for example), but it’s your name that will be dragged through the mud if things go wrong.
It bears repeating; You can NEVER outsource, or in any way deflect, the responsibility for the protection of the data you control.
The way to look at this is to see all 3rd parties / vendors as just a different department of your organisation. You should have THAT kind of control, and it’s up to you to ensure that they are meeting their commitments. Service Levels Agreements (SLAs) are a difficult concept, especially for Cloud providers, but that should not your problem, it’s should be theirs.
Here’s a lengthy but good article from IBM on SLAs; Best Practices to Develop SLAs for Cloud Computing
They may have just chosen to jump on the cloud bandwagon, and see this as a way to multiply their client base using the same, or retro-fitted, infrastructure (you need built for purpose). Calling it a cloud service is, in this case, another phrase for smoke and mirrors. However, there are some excellent cloud/service providers out there, and you will know them by the way in which they answer, or in some cases entirely pre-empt, your concerns. They will:
- come to you with detail about how they will manage your systems / apps etc, and this will almost certainly support your policies or compliance. Ideally the services will be independently certified as compliant (against PCI for example, and if relevant).
- have no problem incorporating your policies or regulatory reporting needs into their service. They may already exceed yours in this respect if they follow the concept of go-with-what’s-hardest-and-everything-else-is-covered.
- have various levels of SLA already defined from which to choose. Be VERY wary of any cloud / service provider who has no pre-defined SLAs.
- have a seamless way for you to measure them against the SLAs. The old misquoted cliche; You can’t manage what you can’t measure, while irritating, is completely appropriate here.
- be able to assist, or train you, to find everything you need during a compliance assessment. YOU must be able to answer your auditors/assessors questions, you can’t just point at your vendor.
If you don’t have a vendor due diligence program, you need to get one. If you don’t have a set of defined policies and business need SLAs, get them. And if you don’t know how to go about any of this, ask someone who does!
Just like in Top 10 Roadblocks to PCI Compliance, not knowing how to do something is not an excuse, there are quite literally hundred of experts who can help you.
[If you liked this article, please share! Want more like it, subscribe!]