If your organization relied upon you to research and recommend a cloud service provider that would be the best at protecting your company’s information and the most secure by having effective tools, strategies and methodologies to thwart the many ongoing threats to that security, how would you arrive at that recommendation?
Based on reader’s inquiries and comments, this question is a common one and for most companies trying to answer it, would require the contacting of each potential provider to gain access to independent audits and security assessments, possibly requiring the signing of a nondisclosure agreement. You could be certain that the process could quickly become onerous — in fact, a company considering a handful of cloud vendors would have to request this kind of security information from each potential vendor, translate their internal documents into a common language, and then compare the security specifications of each vendor against the other.
According to claims in a recent article, written by Robert Lemos, some assistance to help that vetting process seems to now be available. Mr. Lemos is writing about the Cloud Security Alliance (CSA) group which recently launched the Security, Trust and Assurance Registry (STAR) to give potential cloud customers a central database from which they can compare providers’ security assertions. As part of the requirements , participating providers submit their answers to a self-assessment questionnaire, attesting to the security controls and monitoring that they have put in place to protect customer data.
In the article, Lemos states that, “…last year, a Ponemon Institute study found that 69 percent of providers placed the responsibility for security with their customers, while only 35 percent of customers believed they needed to worry about data security. Yet most cloud service providers will not allow most clients to audit their security because they cannot accommodate a large number of such requests.”
However you interpret the findings of that survey, no one should question the significance of the need for controls and security in any offering by any cloud service provider.
Click here to read Mr. Lemos’ full article.
Click here to go to the CSA website to learn more about this new Security, Trust and Assurance Registry (STAR).
If applicable, please pass this information along to those information security professionals and risk management team members in your organization.