Look Before You Leap
Cloud security is not a cure-all. Ambiguity in cloud service agreements can leave gaps in security defenses. If you are planning to move your systems and data to the cloud, let us point out a few things you need to understand before you sign that cloud service agreement.
Understand the Implications
- Moving business systems and data to the cloud means you no longer have direct control over all issues that affect security.
- Detection, reporting and management of security breaches may be relegated to the cloud provider, but any fallout still affects your customers.
- If cloud servers hosting customer data are located in multiple locations, it may be difficult to know where customer data resides, and which jurisdictions and regulators apply.
- Shared use of cloud storage, memory and other resources can create a higher risk than dedicated hardware. A flaw in one client’s application could allow an attacker to access the data of other clients as well.
Before moving your IT systems, applications, and regulated or sensitive data to the cloud, talk to us about a cloud security assessment to minimize your risks. The assessment includes:
- A thorough security risk assessment of the cloud hosting infrastructure
- A complete list of SIG LITE or CAIQ gaps identified for the cloud security provider
- A prioritized list of security and compliance gaps, defined as “Critical”, “Major”, or “Minor”
- A review and assessment of the cloud service provider’s contract/agreement as it pertains to regulatory compliance, security, and privacy.
- A gap remediation plan providing a level of effort, cost magnitude estimate for remediation, timeline, and resource allocation based on your organization’s risk appetite
Can You Answer These Questions?
Has your cloud service provider obtained a previous SSAE-16 SOC I & SOC II, ISO, and/or other data center certifications and attestations?
Have you performed a cloud security assessment using either the Shared Assessments or Cloud Security Alliance assessment tools?
Are you interested in procuring a private cloud or public cloud solution that provides IaaS, PaaS, or SaaS solutions? If yes – what kind of security controls do you require?
Will you be hosting regulated data or sensitive data within the cloud? If yes – what specific security controls and incident response capabilities are required?