Many organizations have now gone so far as to dip their toes into the shallow end of cloud computing, and many more are thinking about testing the waters. Other organizations have jumped into the cloud with both feet. But whether you’re wading in or fully immersed, properly vetting your cloud service providers is essential.
A recent study by IT industry association CompTIA found that even though many organizations are concerned about the security of their data in the cloud, a minority of companies perform a comprehensive review of their cloud service providers before sealing the deal.
“Despite some of the concerns, only 29 percent of the companies in the study said they engage in a heavy or comprehensive review of the cloud service providers’ security practices,” says Tim Herbert, research vice president with CompTIA.
That’s a mistake, says Charles Weaver, co-founder and president of the MSPAlliance, a 15,000-member strong organization that serves as a certification and standards body for managed service providers (MSPs).
“Our chief concern right now is that we see a lot of new service provider entities who are coming into the scene with almost lax attitudes toward how they construct and deliver services,” Weaver says. “They appear to be mostly on the cloud side.”
Weaver explains that these service providers tend to fall into two camps: organizations at the SMB end of the spectrum that market themselves as providers of end-to-end solutions but are actually resellers, or service providers that are unaware of the standards established by MSPs long before the term ‘cloud computing’ was coined.
Weaver says organizations considering a cloud service provider should look for three things:
- Trust. “They’ve got to trust them,” he says. “That comes through an affinity. You have to like the company and the principles and the people you’re going to be working with. It’s a very intimate relationship. There’s got to be a mutual respect and trust to work together.”
- Technical expertise and understanding. The cloud service provider has to be proficient with both its technology and understand your business. “They have to have an understanding of what you’re looking to do and match that up with their technical expertise,” Weaver says. “If you’re a CIO of a bank and you need to outsource some strategic element of your IT, your MSP needs to understand both banks and whatever it is that you’re going to outsource.”
- A third-party compliance audit. Cloud service providers need to be able to show that they can live up to the promises they’re making. “This is a world where you go through more scrutiny and ongoing regulation to cut hair than you do to manage a corporation’s sensitive data and that of your end users,” Weaver says. While he doesn’t believe more government oversight would be helpful in the cloud services space, he does believe organizations should verify their providers’ capabilities with an audit.
So what should you expect in an audit? The MSPAlliance offers the Unified Certification Standard (UCS) for Cloud and Managed Service Providers. It looks for a service provider to comply with 11 control objectives before issuing the certification. Organizations can use the UCS control objectives as a guide to what they should know about a provider. The control objectives are as follows:
- Provider organization, governance, planning and risk management. The provider has to demonstrate that it has a formal management structure, with organizational charts, risk assessment policies, formalized processes for analyzing third-party service providers and vendors, and an organizational structure that provides for adequate segregation of duties.
- Documented policies and procedures. The provider has to demonstrate documented policies and procedures that are reviewed and updated annually. Employees must be required to attest and sign that they understand and adhere to the policies and procedures, and new employees must undergo a formalized training methodology to educate and test on the standards.
- Service change management. The provider must have service change management documentation under formalized change controls. MSPAlliance suggests the documentation include, if applicable, capacity planning and modification to provider and client configurations. The certification also requires that client change management policies are documented based on the level of services delivered to the client by the provider.
- Event management. The provider must have access to a Network Operations Center (NOC) adequately staffed with trained personnel capable of providing the monitoring and management necessary to identify and resolve problems or incidents covered by the service level agreement (SLA) between the provider and the client. Additionally, the provider must be able to demonstrate the existence of a problem management system that includes a help desk and ticketing platform integrated with its monitoring/management system. Also, the provider has to be able to show that it periodically conducts internal reviews of its incident reports.
- Logical security. User access to the provider’s and client’s information systems and data must be granted based on established policies and procedures, and reassigned or terminated employees must have their access revoked based on established and documented policies and procedures. The provider has to show documented controls for user authentication to information systems and data, including password policies and upper management review. The controls have to exist for both internal and remote access. Additionally, the provider has to have a documented policy for administrator IDs, while vendor and third-party access policies are documented and subject to upper management review. This applies to both physical access to operations and data centers as well as information systems and data. Additionally, the provider must have third-party assessments of provider or client information systems.
- Change management. The certification requires that the provider demonstrate it has documented and formalized change management policies and procedures for making changes to information systems, including a formal process for requesting, logging, approval, testing and acceptance of changes prior to implementation. The provider must also show that emergency changes are under a formal review process.
- Data integrity. The provider has to show that it has sufficient information security policies and procedures that are operating effectively. The policies and procedures must be reviewed, updated, approved and communicated to the provider’s personnel annually. This includes data backup and retention policies.
- Physical and environmental security. The provider must have documented policies governing physical access to its IT assets, including visitor/guest logs at applicable facilities. It also has to show security controls at each facility, including card key, CCTV, on-site security and other effective security controls. The provider has to show documented controls governing the access to provider and client facilities of terminated employees and those changing positions. The provider must show documented policies for physical access to co-location hardware maintained in its facilities, and it must perform physical security assessments at each facility annually, including tracking and resolution of any and all issues identified during the assessments. Additionally, its NOC and data centers must be protected from disruptive events using environmental safeguards that are serviced and tested by maintenance contracts. The NOC must have effective redundancies for both connectivity and power, including a documented disaster recovery/business continuity plan.
- Service level agreements. The provider must be able to show that it uses signed SLAs with its clients and that sufficient controls exist to track and monitor services provided to clients. The controls must also track modifications to the client’s setup within the provider’s systems.
- Client reporting, billing and satisfaction. The provider must be able to show that it makes performance reports available to clients in accordance with signed SLAs, including invoices. Also, the provider must have verified references.
- Financial health. The provider must be able to show that it is in a stable and healthy financial position, with demonstrated profitability for a minimum of six previous months, or it must show sufficient capital to prove stability in the absence of profitability. It must also show a sufficient distribution of its revenues across multiple clients.
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.