How should firms select a secure cloud service provider?
Surveys have shown that data security and compliance are the primary concerns for cloud adoption.
When selecting a cloud service, a firm needs to understand the data elements that will be stored in the cloud solution. Those will include an employee’s personal information as well as client and engagement names that must remain confidential, as any exposure or loss will cause ethical and reputational damage. Any use of confidential information must follow legal, contractual, and business requirements.
How should a firm select a cloud provider?
The first step in evaluating a cloud provider is to ensure that they provide the firm with legal protection against:
- Data use
- Data storage
- Data access (by whom and how?)
- Any sub-processors involved in providing the service
The next step is to ensure that the provider commits to employing modern security protections. With the ubiquity of cloud services, physical data center protections or encryption of data at rest and in transit have become table stakes for any cloud services. For example, your provider should provide extensive user authentication and role-based permissions. A well-documented and fully-featured API will allow you to integrate the solution with your other systems.
Another critical factor in selecting a provider is to gain confidence in the provider’s ability to consistently deliver using mature processes. Those processes should include a secure development, change management, and ongoing operating and monitoring of the service. Consider if the provider can support the customer during normal operations as well as during outages or regional disasters, and their ability to handle a security incident. Review the information a provider makes publicly available, specifically around data protection, security controls, the use of sub-processors, and current service status.
Finally, do you trust the provider to deliver on their promises? While evaluating a provider’s reputation and doing reference calls will give you some insight, certifications issued by a qualified third-party will confirm the security stance of a company. In particular, your cloud provider should provide you with the following evidence:
5 ways to evaluate the security of a cloud service provider
- SOC 2 report – is a standard way to evaluate the security controls of an organization. This report puts a particular emphasis on a provider’s ability to fulfill its customer commitments. In a Type 2 report, the examiner will review that the provider has operated the environment, as described during a multi-month period. To support this, a provider has to have mature processes in place and not rely on ad-hoc changes.
- ISO 27001 – With ongoing innovations, a good solution today will be outdated tomorrow unless continuously improved. ISO 27001 puts specific emphasis on continuous improvements and regular risk assessments to ensure a provider focuses on the most significant risks and will provide essential enhancements.
- ISO 27017 – Any technology itself will not provide adequate protection if misused. A cloud provider should give unambiguous, ISO 27017 compliant documentation on what the provider will take care of and what the customer needs to do to achieve the best protection.
- ISO 27018 – In recent years, personal information has been at the center of global regulation efforts. A cloud provider needs to have an answer on how they protect the personal information stored in their cloud solution. While there is no generally accepted GDPR certification yet, ISO 27018 compliant solutions demonstrate mature processes.
- CSA Star certification – With the worldwide growth of the cloud solution market, the Cloud Security Alliance, CSA, has developed the industry’s most powerful program for security assurance in the cloud. To achieve CSA Star certification, a provider must have an ISO 27001 certification. An independent auditor then rates the maturity of over 130 individual organizational capabilities. Those capabilities align with many other certifications and regulations and provide excellent coverage for any standard framework.
Each of these certifications requires external auditors to review internal policies and evidence of consistent processes executions. Engagements like this will span weeks and go into a lot more depth than a customer-driven audit or questionnaire process can achieve.
In summary, when selecting a cloud provider, check for publicly available trust and status information, mature legal commitments, as well as a wide variety of third-party audited security certifications and reports.
We’re proud to say we’ve taken great care to ensure the security of our solutions and are the first professional services industry cloud vendor to be CSA Star certified. Intapp’s CSA STAR certification can be downloaded from the CSA Registry and you can also access our other cloud compliance certifications on this page.
- How law firms can minimize information governance risks and maximize value when using Microsoft Teams and Copilot
- Small and midsize law firms risk significant losses without proper due diligence procedures
- How two law firms improved their realization rates and revenue by using software that helps lawyers comply with outside counsel guidelines
- The pathway to modern legal work: Why and how law firms should begin or continue their journey to a modern way of working
- The importance of a well-designed new business acceptance process at professional services firms
- 3 ways DealCloud supports Activator behaviors
- How professional service firms can optimize conflict management
- Meet PCAOB auditing standards and support change management with risk-based technology
- Meet WIN’s Executive Sponsors: Jennifer Richard and Lavinia Calvert
- How best-in-class deal and relationship management technology helps TAS teams win more business (and why solutions once considered the best CRM software for accounting firms can’t)
- Inside Intapp Spotlight: Meet Jaqualia Jones, Senior Manager of Client Success
- Weaponizing data to gain a competitive edge
- Legal Modern Work Consortium members discuss solutions that improve attorney and client experience
- Choosing the best software for outside counsel guidelines management
- How cloud-based software enables your firm to deliver on outside counsel guidelines
- Actionable client intelligence: Can next-gen dashboards deliver?
- Strengthen business development (BD) with experience management software for law firms
- 4 key risk management trends for consulting firm leaders
- Digital prebilling reduces costs and boosts profits
- Why in-house legal departments are moving from point solutions to leveraging Microsoft 365 for their legal operations
- How top law firms transform their practice with purpose-built firm collaboration software for Microsoft Teams
Sign up to receive email updates from Intapp