How should firms select a secure cloud service provider?
Surveys have shown that data security and compliance are the primary concerns for cloud adoption.
When selecting a cloud service, a firm needs to understand the data elements that will be stored in the cloud solution. Those will include an employee’s personal information as well as client and engagement names that must remain confidential, as any exposure or loss will cause ethical and reputational damage. Any use of confidential information must follow legal, contractual, and business requirements.
How should a firm select a cloud provider?
The first step in evaluating a cloud provider is to ensure that they provide the firm with legal protection against:
- Data use
- Data storage
- Data access (by whom and how?)
- Any sub-processors involved in providing the service
The next step is to ensure that the provider commits to employing modern security protections. With the ubiquity of cloud services, physical data center protections or encryption of data at rest and in transit have become table stakes for any cloud services. For example, your provider should provide extensive user authentication and role-based permissions. A well-documented and fully-featured API will allow you to integrate the solution with your other systems.
Another critical factor in selecting a provider is to gain confidence in the provider’s ability to consistently deliver using mature processes. Those processes should include a secure development, change management, and ongoing operating and monitoring of the service. Consider if the provider can support the customer during normal operations as well as during outages or regional disasters, and their ability to handle a security incident. Review the information a provider makes publicly available, specifically around data protection, security controls, the use of sub-processors, and current service status.
Finally, do you trust the provider to deliver on their promises? While evaluating a provider’s reputation and doing reference calls will give you some insight, certifications issued by a qualified third-party will confirm the security stance of a company. In particular, your cloud provider should provide you with the following evidence:
5 ways to evaluate the security of a cloud service provider
- SOC 2 report – is a standard way to evaluate the security controls of an organization. This report puts a particular emphasis on a provider’s ability to fulfill its customer commitments. In a Type 2 report, the examiner will review that the provider has operated the environment, as described during a multi-month period. To support this, a provider has to have mature processes in place and not rely on ad-hoc changes.
- ISO 27001 – With ongoing innovations, a good solution today will be outdated tomorrow unless continuously improved. ISO 27001 puts specific emphasis on continuous improvements and regular risk assessments to ensure a provider focuses on the most significant risks and will provide essential enhancements.
- ISO 27017 – Any technology itself will not provide adequate protection if misused. A cloud provider should give unambiguous, ISO 27017 compliant documentation on what the provider will take care of and what the customer needs to do to achieve the best protection.
- ISO 27018 – In recent years, personal information has been at the center of global regulation efforts. A cloud provider needs to have an answer on how they protect the personal information stored in their cloud solution. While there is no generally accepted GDPR certification yet, ISO 27018 compliant solutions demonstrate mature processes.
- CSA Star certification – With the worldwide growth of the cloud solution market, the Cloud Security Alliance, CSA, has developed the industry’s most powerful program for security assurance in the cloud. To achieve CSA Star certification, a provider must have an ISO 27001 certification. An independent auditor then rates the maturity of over 130 individual organizational capabilities. Those capabilities align with many other certifications and regulations and provide excellent coverage for any standard framework.
Each of these certifications requires external auditors to review internal policies and evidence of consistent processes executions. Engagements like this will span weeks and go into a lot more depth than a customer-driven audit or questionnaire process can achieve.
In summary, when selecting a cloud provider, check for publicly available trust and status information, mature legal commitments, as well as a wide variety of third-party audited security certifications and reports.
We’re proud to say we’ve taken great care to ensure the security of our solutions and are the first professional services industry cloud vendor to be CSA Star certified. Intapp’s CSA STAR certification can be downloaded from the CSA Registry and you can also access our other cloud compliance certifications on this page.
- Intapp Workspaces Content Connector: Improve document management by connecting iManage and NetDocuments to Microsoft Teams
- Meet our January Intapp Employee Hero, Nicole Landon
- Client strategic initiatives for law firms: Leveraging legal client teams to strengthen relationships and elevate client service for strategic accounts
- Ease the busy season with automated professional services time tracking software
- 5 must-have features for professional services time tracking software
- 5 tips for getting lawyer buy-in on new technology adoption
- Prebill management for lawyers: Reduce billing errors and strengthen compliance with outside counsel guidelines using automated proforma processes
- How accounting firms should leverage cloud-based collaboration tools during mergers and acquisitions
- Enabling secure collaboration with Intapp Workspaces, Intapp Walls, and Microsoft Teams
- 2022 TLTF Summit showcases the power of legal tech community to solve real-world problems
- Law firm best practices: Archiving within Microsoft Teams
- Intapp Conflicts: Raising the industry standard for conflicts clearance
- Meet our 2022 Intapp Heroes of the Year: Our team in Ukraine
- Top 5 change management tips for successful time accounting software adoption
- Data governance best practices for professional and financial services firms
- Automated prebilling for law firms: Improving proforma processes to prevent revenue leakage and accelerate the billing and collection cycle
- Inside Intapp Spotlight: Meet Laura Fallone, Senior Director of Client Experience
- How legal marketing and business development talent in client-facing roles drives revenue and improves client relationship management
- Meet our November Intapp Employee Hero, Samantha Kobak
- Intapp and ILTA roundtable recap: How top firms are deploying Microsoft Teams and promoting secure collaboration
- 3 ways to optimize Microsoft 365 to improve document management for accountants
Sign up to receive email updates from Intapp