In the past few weeks I was quite often involved into discussions about cloud security frameworks, proper attestation of security controls, and what criteria should apply for selecting cloud service provider.
The lack of a widely agreed cloud risk or cloud security standard (and an acknowledged certification process of it) makes it difficult for organisations to evaluate and select cloud service providers from risk perspective in addition to the business and cost benefit angle that the cloud service would provide.
Therefore many organisations fall back to already established in-house expertise in vendor selection, which is likely not fully adoptable for the selction of cloud service providers, or just mirror what other organisations do, even if those organisations likely have a different risk and maturity profile.
Hence the title of this blog article - One Size Fits None. That is usually my first answer to a lot of questions I have been asked around this topic. Don't just mirror what others do, you need to find and adopt your organisation's own security approach starting with proper risk assessment and pulling the right conclusions out of it. As I said in my last blog article already, I am not going to explore risk assessment and risk management frameworks here, this would extend this article to the length of a book. If you are interested in my opinion about it, please drop me a note and we will discuss certain frameworks like Risk IT, Val IT, ISO 27005, ISO 31000 and others.
So where can you start? Well, obviously you should look for public available information about the particular vendor when you start shortlisting the candidates for your service selection. I.e. many cloud service providers have statements on their website about ISO 27001 certification, SAS 70 Type II audit attestation (recently replaced by SSAE 16 in the US and ISAE 3402 international), SysTrust or WebTrust certification, etc.
Is this enough to trust this provider to handle i.e. your entire CRM data outside of your network? Probably not, therefore you should start to think about further assessment beyond these certifications and labels they provide.
A proper next step is to think about tough questions that you would like to ask the provider. Again, don't fall back to your usual questionnaire of selecting on-premise software or hardware vendors. These questions are not covering the significant differences to a cloud service. A significantly better approach is the use of specialised existing questionnaires like the "Consensus Assessments Initiative Questionnaire (CAIQ)" from Cloud Security Alliance, or the "Standardized Information Gathering Questionnaire (SIG)" from The Shared Assessments Program.
You are not looking for less than a provider to handle your mission-critical service, therefore you should demand a complete response to your questionnaire. If the provider doesn't fulfill this request, you shouldn't do less than eliminate the provider from the evaluation process.
A significant criteria is how the provider answers the questions. Whilst some might just answer "yes" or "no", some will also answer "how" they do it. To force them to a better answer quality, you should ensure to ask the questions in the right way, don't just ask "Do you ...", but ask "How do you ...". In general, asking "open questions" is best practice for any type of questionnaire.
At the end - apart from all business and cost benefits - you will get a much better and more precise understanding of acceptable and unacceptable criteria for the selection process of your cloud service provider from risk and security controls perspective according to your initial risk assessment, vendor risk management and requirements.
A good start to do your own learning about this topic is a recently released research paper about "Managing the Benefits and Risks of Cloud Computing" from the IT Policy Compliance Group. The research uncovers the differences in benefits and risks that are being experienced by organisation of very different sizes and outcomes, and what the best performers are doing very differently to manage more business value and less risk from the uses of cloud computing.
I hope this information is useful for you. As always, please do not hesitate to contact me for any further question.