Get the basics on ensuring data and systems are safe
If you think that once you put your data and systems in the cloud, the provider keeps them all tight and secure right out of the box, then we have bad news for you. Even if you buy the most secure and expensive package available, about a third of the responsibility for configuring, reviewing and maintaining security is still your responsibility. It’s critical to make sure you know what those responsibilities are and abide by them, especially when you have customers who have contracted with you to keep their data safe.
The security that you may be responsible for can include:
- Customer data
- Data during transit to the cloud
- Turning on encryption
- Any applications you choose to bring into the environment
- Access and identity management
- Scanning and patching
Even if you have ample controls in place, you must review them regularly because things change, from applications getting added to the cloud to new employees starting to permissions changing. That’s why regular and consistent cloud auditing is essential to keeping your cloud data and systems safe. The following is a basic overview of what you need to know.
Effective audits start with the right cloud provider
Ensuring you have the security you need starts with selecting a cloud services provider appropriate for your company’s needs. For example, a business with federal government clients will need the most secure package available. An authorized third-party auditor will be required to meet specific regulations for access control, which are significant. For organizations in other industries, the expense of a cloud service provider designed to offer that level of security would be overkill. If the return on investment with your current cloud provider isn’t working out, it’s likely the wrong one.
You also need to dive deep into the technical specifications and their implications. For instance, you wouldn’t want to mistakenly select a cloud service provider thinking they offer business continuity, which ensures that critical services remain uninterrupted, when in reality the disaster recovery services only restore your data and systems after a specific timeframe. If you have customers relying on that service, then it’s imperative that you know exactly what services you contracted for and what you need to do to maintain them.
A few basic questions to ask include:
- What kind of data do your customers need to secure in the cloud?
- What kind of data security does your organization require in the cloud?
- Do your customers require your company to be certified for certain regulation compliance? (If so, the cloud provider should offer the same or greater level of security that you do.)
- What level of security do you want your company to be responsible for versus the cloud provider?
- What do the provider’s other customers say about their security processes, and how easy or difficult is it to work with them?
The answers to these questions can help guide you to a cloud services provider that not only meets your and your customers’ security needs but can work effectively with you to audit and maintain those security controls regularly.
Establish ownership for cloud auditing
It’s also key to assign responsibility for cloud security auditing tasks that fall on your organization and to verify that they are being completed. You can assign individuals or teams internally or hire a consultant to perform them. Then, use a checklist to make sure everyone understands what team, group or company owns each control. When the audit is required for security certification, attestation or authorization, it’s essential that information be documented and crystal clear.
You should also document how to ensure the control is configured correctly and how to fix it if not. There are too many stories of customers who put their data in the cloud and experienced a breach because they didn’t know they hadn’t finished the configuration, hadn’t encrypted something, or had hired a firm in another country that forgot to close the door when they were done. It’s your duty to check controls on your end, review cloud audit reports from the provider and follow up on any incidents until they are closed.
In short, as the cloud service customer, it is your responsibility to ensure that all controls are put in place, they are being set correctly on both sides, and that you review and document them.
If all of this sounds like a lot of time and effort, it is. That’s why many companies outsource cloud auditing to a trusted professional services firm. BPM offers services to make cloud auditing less of a burden on your team. Learn more about how to leverage BPM’s managed services to realize your organization’s vision. Visit our interactive guide.