Organisations are acutely aware that the risks to their online services and data today are greater than ever – and growing fast. According to the 2015 Information Security Breaches Survey, 90% of large organisations, and 74% of small businesses suffered a security breach in 2015, an increase on both 2013 and 2014 figures.[1] This statistic, and the recent unprecedented scale of the Panama Papers data leak should once again bring data security to the top of the boardroom agenda.
As more businesses move their technology estate to the cloud, they need to be confident their technology partners can really deliver on cloud security – with the experience and depth to protect them better than they ever could themselves.
Traditionally, businesses have been skeptical when it comes to the security of cloud services. For most IT decision makers, the fear of moving to cloud technology is centered on a ‘loss of control’ (a Vanson Bourne survey suggests 84% of UK CIOs worry that cloud causes them to lose control over IT). The role of Managed Cloud Providers (MCPs) is not only to deliver high-performance cloud-based technology services, but also to demonstrate that their approach to security and compliance is robust, scalable and perpetually fit for purpose.
When it comes to evaluating a provider’s capabilities, certifications go a long way to building credibility – from business standards (e.g. ISO) through to technology (Cyber Essentials Plus) or sector specific (PCI DSS, HIPAA, Government). But it is also to a large extent about a holistic approach to security – an attitude. There are three key attributes you should look for in a MCP from a security perspective:
Business understanding – MCPs need to maintain an extraordinary understanding of the needs and requirements of your business and demonstrate the right level of knowledge and expertise to protect your systems and services.
Good MCPs need to look further than a simple summary of potential threats and a review of past incidents/ concerns towards the wider global threat landscape, considering its specific relevance and impact. They must have detailed knowledge of the risk profile of your business and market, and understand who your staff, customers and other users are to accurately profile potential vulnerabilities.
A combination of current security intelligence and experience is vital if an MCP is to deliver a security service with sufficient detail and depth to protect your business properly.
Shared Responsibility– To define and deliver the optimal level of security, MCPs need to work very collaboratively with customers. This typically starts with CIOs and IT teams but ultimately cascades across the customer’s business. Cloud security is a shared responsibility and to be at its most effective, it is crucial for organisations and MCPs to have a clear view of their respective roles and accountability.
Working with an MCP that can clearly define where responsibilities lie and help an organisation deliver end-to-end security and compliance without unnecessary overlap or, even worse, gaps, is vital.
Collaboration – As the cloud market continues to expand, businesses increasingly find themselves working with more than one provider in order to meet their technology needs. MCPs must have a proven ability to collaborate with your other cloud partners (other MCPs, SaaS providers etc.) to maintain a consistent level of security, or offer a more integrated approach that allows customers to work through a single cloud integrator who manages the ecosystem relationships.
By partnering with the correct MCP, CIOs can be sure that any threats to data are detected, diagnosed, reported and ultimately remediated. When managed correctly, the cloud can provide a perfectly secure environment to help support businesses.
[1] http://www.pwc.co.uk/assets/pdf/2015-isbs-executive-summary-digital.pdf
[su_box title=”About Kevin Linsell” style=”noise” box_color=”#336588″][short_info id=’67595′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.