How should firms select a secure cloud service provider?
Surveys have shown that data security and compliance are the primary concerns for cloud adoption.
When selecting a cloud service, a firm needs to understand the data elements that will be stored in the cloud solution. Those will include an employee’s personal information as well as client and engagement names that must remain confidential, as any exposure or loss will cause ethical and reputational damage. Any use of confidential information must follow legal, contractual, and business requirements.
How should a firm select a cloud provider?
The first step in evaluating a cloud provider is to ensure that they provide the firm with legal protection against:
- Data use
- Data storage
- Data access (by whom and how?)
- Any sub-processors involved in providing the service
The next step is to ensure that the provider commits to employing modern security protections. With the ubiquity of cloud services, physical data center protections or encryption of data at rest and in transit have become table stakes for any cloud services. For example, your provider should provide extensive user authentication and role-based permissions. A well-documented and fully-featured API will allow you to integrate the solution with your other systems.
Another critical factor in selecting a provider is to gain confidence in the provider’s ability to consistently deliver using mature processes. Those processes should include a secure development, change management, and ongoing operating and monitoring of the service. Consider if the provider can support the customer during normal operations as well as during outages or regional disasters, and their ability to handle a security incident. Review the information a provider makes publicly available, specifically around data protection, security controls, the use of sub-processors, and current service status.
Finally, do you trust the provider to deliver on their promises? While evaluating a provider’s reputation and doing reference calls will give you some insight, certifications issued by a qualified third-party will confirm the security stance of a company. In particular, your cloud provider should provide you with the following evidence:
5 ways to evaluate the security of a cloud service provider
- SOC 2 report – is a standard way to evaluate the security controls of an organization. This report puts a particular emphasis on a provider’s ability to fulfill its customer commitments. In a Type 2 report, the examiner will review that the provider has operated the environment, as described during a multi-month period. To support this, a provider has to have mature processes in place and not rely on ad-hoc changes.
- ISO 27001 – With ongoing innovations, a good solution today will be outdated tomorrow unless continuously improved. ISO 27001 puts specific emphasis on continuous improvements and regular risk assessments to ensure a provider focuses on the most significant risks and will provide essential enhancements.
- ISO 27017 – Any technology itself will not provide adequate protection if misused. A cloud provider should give unambiguous, ISO 27017 compliant documentation on what the provider will take care of and what the customer needs to do to achieve the best protection.
- ISO 27018 – In recent years, personal information has been at the center of global regulation efforts. A cloud provider needs to have an answer on how they protect the personal information stored in their cloud solution. While there is no generally accepted GDPR certification yet, ISO 27018 compliant solutions demonstrate mature processes.
- CSA Star certification – With the worldwide growth of the cloud solution market, the Cloud Security Alliance, CSA, has developed the industry’s most powerful program for security assurance in the cloud. To achieve CSA Star certification, a provider must have an ISO 27001 certification. An independent auditor then rates the maturity of over 130 individual organizational capabilities. Those capabilities align with many other certifications and regulations and provide excellent coverage for any standard framework.
Each of these certifications requires external auditors to review internal policies and evidence of consistent processes executions. Engagements like this will span weeks and go into a lot more depth than a customer-driven audit or questionnaire process can achieve.
In summary, when selecting a cloud provider, check for publicly available trust and status information, mature legal commitments, as well as a wide variety of third-party audited security certifications and reports.
We’re proud to say we’ve taken great care to ensure the security of our solutions and are the first professional services industry cloud vendor to be CSA Star certified. Intapp’s CSA STAR certification can be downloaded from the CSA Registry and you can also access our other cloud compliance certifications on this page.
- True modernization of legal ops begins with a future-proof platform
- Structure and routine: The keys to effective matter management for corporate legal teams
- Why in-house legal teams need to modernize their operations — not just update their contract management processes
- It’s time to digitally transform matter instruction
- Empowering your in-house legal team to collaborate on matters using Microsoft Teams
- Easing the cloud migration process: Best change management practices for law firms
- Streamline your firm’s risk assessment and AML compliance process with Intapp OnePlace
- OnePlace Marketing & Business Development user interface updates for 2022
- Streamline your firm’s AML compliance with Intapp Intake
- Improve your tech strategy and Microsoft Teams workflow
- Meet our April Intapp Hero, Marika Crowe
- Remote work and legal firm challenges in a changing world
- Eat lunch not hours: Automated time tracking for accountants
- Improve proposal generation and RFP responses with AI
- Leveraging Key-Client Programs for Better Service Levels and Higher Profitability
- Meet Our March Intapp Hero, Amar Khan
- What Automated Time Management Software and Fitness Trackers Have in Common
- Improving AML Compliance, CDD Practices, and Risk Assessment
- The Benefits of Automated Timekeeping for Mid-Sized Firms
- Consultant Data Management: 8 Tips for Using Microsoft Teams to Collaborate Efficiently, Safely, and Effectively
- Balancing Client-Value Delivery and Profitability Targets Through Enhanced Service Models
Sign up to receive email updates from Intapp