Movement to services is exploding across all business segments.
One of the main motivators for this move is enhanced security as compared to on premise resources. However, cloud services come with different attendant risks. All cloud providers are not the same and do not incorporate the same level of security of the data being transferred and stored in their facility. Additionally, many companies use multiple cloud providers in order to provide complementary services, some of which may exchange data between the vendors. As with all things, caveat emptor!, it is the customer’s responsibility to maintain the basic level of expertise to monitor the cloud vendors’ systems with respect to security and compliance with any standards. There are typically two aspects to this: presale and post-sale diligence. Presale diligence includes review of the vendor’s security measures and certifications, together with contract review to make sure risk of data loss is properly apportioned and indemnification is in place. These certifications can include compliance with Statement of Standards for Attestation Engagements (SSAE) standards and the production of a service organization controls (SOC) report as well as ISO standards. Companies often assume that their risk of data loss is automatically transferred when data moves to a remote vendor. That would be an improper assumption in many cases. Ensuring the vendor has proper cyber insurance coverage is also necessary. Post sale diligence includes follow up on a periodic (usually annual) basis to ensure that security measures, and particularly any certifications, remain in place. A due diligence questionnaire with technical questions about vendor’s environment can be useful.
We can help your company navigate the complex evaluation and contracting process as well as post sale diligence.
This post was written by Barry Friedman