Why now is the time to evaluate your cloud service providers
Nov 08, 2018
The demand for cloud computing is growing at a considerable pace and alongside this the number of companies providing cloud services - Cloud Service Providers (CSPs) - is growing even faster.
The cloud landscape has drastically changed and adoption is widespread throughout most organisations. According to a report published in February 2018, the average number of cloud services per enterprise is 1,181. It is now time for organisations to take stock and evaluate their providers and how they are using them.
This is no small task. There are often a lack of formal procedures in place for evaluating CSPs and the number of providers within an enterprise often exacerbates this issue. As with so many things, one size does not fit all - a single process to evaluate multiple CSPs often doesn’t yield the desired result. Everything needs to start with understanding what you are trying to achieve and why.
So what steps should be taken?
- Implement a cloud policy – According to Gartner, by 2020 , a corporate "no-cloud" policy will be as rare as a "no-internet" policy is today. Organisations should implement a formal cloud policy that includes how cloud services can be procured, the services that can be used and a tier based system for CSPs.
- Categorise your CSPs – Firstly, apply the 80:20 rule - this will help organisations to focus on the critical applications, which sit in the 20% bucket. Categorising CSPs as Tier 1, 2 and 3 will place emphasis on the most important ones and therefore the effort that should be spent on evaluation. Tier 1 could be a small number of well-established, market leading CSPs who invest significant amounts on security and resilience. Tier 2 could be mid-size providers, lacking the sophistication and reliability of Tier 1 but providing key services. Tier 3 might be small providers of non-critical services.
- Set a baseline security standard – You need to set a baseline security standard based on the tier system and then apply them appropriately. This should take into account the security posture of the CSP and the security functionality available to its customers. The use of cloud access security brokers (CASBs) can help prioritise CSPs and arrive at a suitable standard for each tier.
- Establish tier based evaluation methods – Many organisations develop CSP assessment frameworks based on what matters most to them using a risk focused approach. There are a number of security standards/internationally recognised frameworks, which can be used to help evaluate CSPs:
- Self-assessment questionnaire
- ISO 27001 (information security)
- ISO 27017 (security of public cloud services)
- ISO 27018 (PII in public cloud)
- Cloud Controls Matrix (CCM)
- CSA Security, Trust & Assurance Registry (STAR)
- Independent assurance reports (e.g. SOC 1 and SOC 2).
Depending on the nature of the service, the criticality of the service to the organisation and the tier in which a CSP resides, one or more of the above evaluation techniques may be used. For example, if it’s a critical service, an independent assurance report will give more comfort than a self-assessment or an ISO certification. It is worth considering that a CSP may have been evaluated, but the service in which it is hosted may not have. Managing "fourth-party" risk is a growing area of concern, especially for regulated businesses.
- Regularly review CSPs – Implement a review program to ensure that CSPs are delivering on their promises. Taking full advantage of an evaluation model requires organisational discipline and visibility into cloud usage patterns. Those who follow that discipline, will apply different levels of control rigor to different cloud services, including applying technology to prevent sensitive data from being uploaded to cloud applications that are not approved for it.
Cloud is here to stay and the number of CSPs is not going to reduce anytime soon. Organisations adopting these technologies need to stay ahead and deliver rich customer experiences to compete successfully. They also need to understand the balance between risk and reward. Having an effective evaluation framework, and adhering to it, will go a long way to keeping that balance.