For companies purchasing cloud services, the number one priority should be how to evaluate the risk of using a particular vendor.

Many companies don’t have a solid process for determining how to evaluate a third party cloud vendor for risks nor how to assess the likelihood of a breach at a third party.  Too often, if a company does attempt to assess the risk, the task will get delegated to someone that will concentrate on a very narrow aspect of the service provided.  For example, someone might only validate if the data is encrypted during transmission, or the decision might rely on determining if the system is multi-tenant versus a dedicated host.

In order to properly assess the risk companies should be using mature frameworks such as ISO 27002 or the emergent Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).  These frameworks look at a broad range of controls including HR practices; physical security; environmental controls; authentication policies, procedures, and mechanisms; access controls; cryptography usage; and key management.  The current version of ISO 27002 examines over 130 different aspects of an organization’s overall security. The CCM has similar granularity.

A small number of organizations with mature IT departments use ISO 27002 or a similar framework to assess its third party vendors, including cloud service providers.  Some cloud vendors perform an annual assessment and publish compliance information about the assessment.  However, too often these diligent practices are the exception rather than the standard practice.

One area that ISO 27002 does not address is breach notifications by third party vendors.  When purchasing cloud services, companies should include terms and conditions that address the definition of a breach, the timeliness of notifications upon learning of a breach, and what information will be communicated about a breach.