How can a company develop trust in the cloud and determine when the risk of using a service is acceptable?

Today, enterprises must trust, and only periodically verify, the integrity of their cloud service providers through annual assessments.  The tools to verify in real time rarely exist and the tools that do exist are primarily focused on providing limited access to log data.

When an enterprise is thinking about using a SaaS vendor or cloud service it has the responsibility to assess the vendor and determine the risks, liabilities, and responsibilities.  To perform an assessment an enterprise might perform an on-site visit and perform an in-depth interview to assess the service.  Or the enterprise may choose to let the vendor perform a self-assessment by responding to a questionnaire.

SystemExperts has assisted several of our clients to assess cloud vendors they are planning to use, or are using.  One favorable trend we are seeing is an increasing number of cloud vendors are using third parties to perform annual assessments.  We’ve seen at least one cloud vendor that has an ISO 27001 certificate of compliance.  Some others are performing annual ISO 27002 assessments.  Each of these are very useful as a starting point.  However, the most mature cloud service and SaaS providers offer complex services.

It is important for enterprises to perform an assessment that also focuses on how the enterprise will use the service.  For example, an enterprise should examine the types of data that will be propagated to the cloud service provider and then compare how each parties’ Data Classification Policy categorizes or labels that data, and how it will be treated.  Are the two policies compatible?  Or is there a disparity that is a cause for concern?

An assessment should examine change management processes, incident management, log management, and log analysis.  In order to understand the risks it is necessary to understand how these processes are managed, what gets logged, who has access to the logs, and under what conditions will the enterprise be notified of upcoming changes and detected incidents.

Some SaaS vendors provide an enterprise with the ability to review logs related to their use of the service.  Enterprises should use this level of access and proactively review and analyze the logs.  Ideally, the SaaS log information should be integrated into the enterprise’s SIEM.

Assessing a cloud vendor’s Business Continuity and Disaster Recovery management is also critical.  Hearing a cloud vendor reply that they “do not perform complete testing of its BP/DR because of the potential impact on a number of its customers” would not inspire confidence.  Instead, a reply like that should trigger a more detailed discussion and evaluation.

An enterprise should not stop with an assessment of the cloud service vendor.  Many such vendors use additional third parties.  This might include co-location facilities and/or other cloud services. An enterprise should also know about those relationships and what types of assessments the primary cloud service provider has performed when selecting those providers.

Another aspect of cloud accountability is the ability to for the customer, or third party, to reliably monitor the state of the system and verify its integrity.  This tends to be an unresolved issue.  It’s often possible to monitor and detect that a service is working.  However, in the case of a failure, the customer is not likely to have access to information that provides any insight about the cause, or how to expedite a recovery.  Still fewer services make any attempt for a customer or third party to verify the integrity of the system, beyond some status APIs and access to limited log information.