How should firms select a secure cloud service provider?
Surveys have shown that data security and compliance are the primary concerns for cloud adoption.
When selecting a cloud service, a firm needs to understand the data elements that will be stored in the cloud solution. Those will include an employee’s personal information as well as client and engagement names that must remain confidential, as any exposure or loss will cause ethical and reputational damage. Any use of confidential information must follow legal, contractual, and business requirements.
How should a firm select a cloud provider?
The first step in evaluating a cloud provider is to ensure that they provide the firm with legal protection against:
- Data use
- Data storage
- Data access (by whom and how?)
- Any sub-processors involved in providing the service
The next step is to ensure that the provider commits to employing modern security protections. With the ubiquity of cloud services, physical data center protections or encryption of data at rest and in transit have become table stakes for any cloud services. For example, your provider should provide extensive user authentication and role-based permissions. A well-documented and fully-featured API will allow you to integrate the solution with your other systems.
Another critical factor in selecting a provider is to gain confidence in the provider’s ability to consistently deliver using mature processes. Those processes should include a secure development, change management, and ongoing operating and monitoring of the service. Consider if the provider can support the customer during normal operations as well as during outages or regional disasters, and their ability to handle a security incident. Review the information a provider makes publicly available, specifically around data protection, security controls, the use of sub-processors, and current service status.
Finally, do you trust the provider to deliver on their promises? While evaluating a provider’s reputation and doing reference calls will give you some insight, certifications issued by a qualified third-party will confirm the security stance of a company. In particular, your cloud provider should provide you with the following evidence:
5 ways to evaluate the security of a cloud service provider
- SOC 2 report – is a standard way to evaluate the security controls of an organization. This report puts a particular emphasis on a provider’s ability to fulfill its customer commitments. In a Type 2 report, the examiner will review that the provider has operated the environment, as described during a multi-month period. To support this, a provider has to have mature processes in place and not rely on ad-hoc changes.
- ISO 27001 – With ongoing innovations, a good solution today will be outdated tomorrow unless continuously improved. ISO 27001 puts specific emphasis on continuous improvements and regular risk assessments to ensure a provider focuses on the most significant risks and will provide essential enhancements.
- ISO 27017 – Any technology itself will not provide adequate protection if misused. A cloud provider should give unambiguous, ISO 27017 compliant documentation on what the provider will take care of and what the customer needs to do to achieve the best protection.
- ISO 27018 – In recent years, personal information has been at the center of global regulation efforts. A cloud provider needs to have an answer on how they protect the personal information stored in their cloud solution. While there is no generally accepted GDPR certification yet, ISO 27018 compliant solutions demonstrate mature processes.
- CSA Star certification – With the worldwide growth of the cloud solution market, the Cloud Security Alliance, CSA, has developed the industry’s most powerful program for security assurance in the cloud. To achieve CSA Star certification, a provider must have an ISO 27001 certification. An independent auditor then rates the maturity of over 130 individual organizational capabilities. Those capabilities align with many other certifications and regulations and provide excellent coverage for any standard framework.
Each of these certifications requires external auditors to review internal policies and evidence of consistent processes executions. Engagements like this will span weeks and go into a lot more depth than a customer-driven audit or questionnaire process can achieve.
In summary, when selecting a cloud provider, check for publicly available trust and status information, mature legal commitments, as well as a wide variety of third-party audited security certifications and reports.
We’re proud to say we’ve taken great care to ensure the security of our solutions and are the first professional services industry cloud vendor to be CSA Star certified. Intapp’s CSA STAR certification can be downloaded from the CSA Registry and you can also access our other cloud compliance certifications on this page.
Thomas Hadig is Intapp’s company security officer. He is responsible for Cloud Security at Intapp and focuses on solving customer requirements. He has spent over two decades in IT and Engineering roles at multi-national research labs and at Intapp.