Not All Clouds Are Created Equal

Not All Clouds Are Created Equal

By Special Guest
Aaron Smith, Principal Cloud Security Strategist at Forcepoint
  |  January 23, 2017

Data in transit, traveling to and through the cloud, is at risk. But there’s also danger while it’s stored or processed. And as more organizations look to cloud services, and providers make investments in infrastructure and data centers, the theme of quality over quantity rings true.

There are factors to consider: does the vendor have carrier grade data centers, or is it hosted in a customer site (or labeled as a data center to inflate numbers)? Customer references can only go so far to vouch for the quality of a given cloud provider, so what about third party verification?

When evaluating the safety and security of a cloud provider, there are several factors to consider to gauge its quality. Here are some tips to ensure common risks don’t turn into realities:

1. Determine the global presence of carrier grade data centers. Some vendors may claim a server hosted in a customer site is a “data center” to inflate the number of data centers it reports. The number of data centers is not the important detail though; it’s the accessibility and security that is most critical.

  • Best practice – It’s important to have a global presence of customer accessible data centers. Be sure to ask a provider for a list of data centers that will be accessed by all users included in the price. Don’t accept premium pricing for access.

2. Identify where your data will reside. Some regions are required to have local data centers to process and store data accessed by users in the region. This sometimes mandates a local site, but not always.

  • Best practice – Ensure a vendor has options that will provide the required controls without processing data in another country or region. In addition, some HR and compliance officers require historical reporting beyond the standard six or nine months. Confirm the cloud provider can readily provide these options.

3. Double check industry certifications. Certifications provide assurances that a cloud provider has the controls and mechanisms in place to ensure compliance with numerous regulatory and legal requirements.

  • Best practice – Make sure a provider has the most commonly held certification – ISO 27001 – which mandates requirements that define how to implement, monitor, maintain and continually improve the information security management system. Most cloud vendors also include ISO 27018 for compliance with certain privacy requirements. These compliance certifications can also vary depending on the industry, like financial services, for example.

4. Evaluate the deployment options. Many companies choose hybrid cloud services for various reasons. Sometimes it makes sense to have cloud managed devices for local enforcement. Other companies prefer to have advanced features in a next-generation firewall. Still others want a full SaaS (News - Alert) deployment with Internet Protocol Security and GRE. It’s essential to figure out what deployment option is best suited for an organization.

  • Best practice – No matter what the choice, a cloud security vendor should have a platform approach that facilitates the organizations’ needs and unique use case.

So how can an organization be sure that a cloud provider secures data to an expected standard? When choosing the best candidate, it’s necessary to thoroughly understand every element of its platform, from third party certifications to speeds and feeds, redundancy, uptime, features, effectiveness and more. However, none of these features have any value if they can’t be delivered in a secure manner.

As enterprises look to cloud services, it’s critical to select a provider who prioritizes security and data protection according to high standards. Not all clouds provide global, carrier grade data centers, robust industry certifications, proxy and proxy-less Web security and a choice of deployment option. Above all, not all clouds are created equal – make sure you find the right one