In today’s economy, we all shop online and use credit cards to some extent. Do you ever wonder what happens with your personal data after you hand it over? How do the vendors entrusted with this information protect it? What is done to keep financial data secure? How about medical information? Given several recent newsworthy security breaches, consumers ponder where all their personal information is processed and stored – and how safe it is.
These are valid questions. Consumers do not see what companies do with their personal information. Companies often outsource their technology operations, development or monitoring along with their data to third party vendors. If they employ the cloud to store that data, they might outsource to a cloud service provider.
For their customers’ sake, companies entrusted with personal information must maintain strict security protocols. But what about their third-party vendors? How are they validating vendor security posture? Are they using an audit trail? Are they monitoring for breaches? And, what are the third parties doing to ensure that certain customer data is kept separate from others? This is the multi-tenancy factor and involves data stored at any type of hosting provider. The answer to these issues lies in gaining an understanding of the technical security posture of the third party vendor.
Coming back to cloud, there are steps that must be taken to examine whether data stays safe through its lifecycle. To ensure this, you must:
- Understand network, compute, storage and application resources;
- Realize how you are controlling access to different resources;
- Grasp virtualization and how security is orchestrated between data sets;
- Know how the data is aligned to all applicable regulations to ensure compliance;
- Determine how the stored data stays safe, no matter the technology challenges the third party faces; and
- Ensure clear separation of duties exists and that they are closely monitored.
All this must be done to promote strong security and it can be overwhelming. Therefore, it is not surprising that security is one of the top concerns today for both companies and consumers.
It’s time for organizations to make sure they can answer essential questions their customers have about their data. Here are key questions consumers would expect company representatives to know about their personal data and how secure it is:
- How do you grade the security posture of your internally hosted data centers and your externally hosted data, including cloud service providers?
- What do you assess and how often (i.e., network, applications, cloud computing operation, IT organization, others factors)?
- Do you understand, from a technical standpoint, how the third party handles security in the cloud and the dataflow of personal information?
- What type of application security controls and validations are in place?
- Do your third party vendors perform background checks of technology and security personnel?
- What is needed to continue to ensure that your environment remains secure?
Companies also must recognize that the cloud provides a platform for them to run their applications or leverage an instance of an application to provide additional value to the consumer. They must determine how the cloud service provider adheres to a strong security lifecycle analysis so security is not just a point in time exercise. To do this effectively and efficiently, companies should focus their security efforts on the applications that host or manage their business’ most critically relevant and sensitive data. Consumer questions were identified above, so now let us review questions what companies should ask their prospective third party vendors when selecting or implementing cloud:
- What should be built into SLAs that pertain to terms and conditions and expectations about security and adhering to regulator rules?
- Holistically, how does the third party measure its resilience across a heterogeneous IT environment that might include a public and private cloud and a data center?
- What is the vendor’s incident response plan and accountability if something does go wrong?
- What security solutions and controls are “out of the box”?
- What additional security solutions can be embedded further to increase protection?
- What proof is there that the third party vendor has a history managing complex applications and sensitive data in an available, recoverable and secure way?
With so many questions to ask it can overwhelming. However, it is now mandatory (under the Payment Card Industry Data Security Standard) for service providers handling credit cards to provide consumers with tightened security and proof of security controls and understanding. These include more comprehensive security approaches built on shared responsibility, improved traceability and clearer acknowledgement of responsibility between the company and its cloud service provider. Standards are in place, driven by organizations such as the Cloud Security Alliance, to help companies gain a better understanding of all the security issues that pertain to cloud.
In the end, it matters who you partner with and, during these times of security uncertainty, companies should find safety among cloud providers that have long histories protecting data. And they should always strictly validate their comprehensive security posture (internal data centers, external data centers, cloud service providers and applications) through thorough third party assessment and review.
Edited by Maurice Nagle