Evaluating Cloud Providers
I have a friend who recently started a new business venture. He’s been involved in several other ventures before therefore he’s familiar with the common business processes that are performed when running a business – accounting, scheduling, inventory, production, regulatory compliance, physical security, payroll and benefits, just to name a few.
We were having coffee the other day and he mentioned that this is the first business he’s set up where every business process is supported by a cloud-based solution. No servers were purchased and the main technology expense was to set up wired and wireless networks to run their new online tools consistently and securely.
His question to me was how he could best track and evaluate his new cloud-based business service providers. This is a task even large IT departments face. The ease with which cloud systems can be added and removed, and the speed with which cloud tools are evolving make accounting for these systems a challenge. As a small business, he wasn’t interested in implementing another system solely to manage cloud assets. For his solution, we used his already available G-Suite tools and we set up a schedule for me to help him assess his cloud providers a couple times a year.
For a larger company though, the solution isn’t quite that simple. Large organizations will need to determine the best method of evaluating the security, reliability, and availability of the critical data that is offsite with their cloud providers. They need to identify and understand the risks that these new technologies present.
The organization utilizing cloud providers should start with reviewing SOC reports for their service providers.
For those using service providers that are material to their financial statement, a SOC 1 – SOC for Service Organization: ICFR Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting should be reviewed. If the service provider is not material to the financial statement, but handles the organization’s critical data, then a SOC 2 – SOC for Service Organizations: Trust Services Criteria Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy should be reviewed.
Second, they should implement a risk assessment. Identify the specific risks and the controls that make up their cloud strategy. Questions to ask on a cloud risk assessment can include:
- How is my data governed and who owns it?
- How do I get to my data?
- How is my data separated from your other customers?
- How are my users managed and authenticated?
- What business continuity and resiliency processes are in place?
- What type of support is available if there is a security incident with my data?
- What environmental and physical protections are in place at your data centers?
- What are my allowances in the contract?
Cloud questionnaires can run into the hundreds of questions. Many example questions are readily available online. The Vendor Security Alliance (VSA) has a free one available for download.
Cential has worked with multiple entities building new Third Party Management functions or improving existing ones, and we understand the nuances (organization size, industry and regulatory requirements, criticality of data, etc.) that impact the requirements of such a program. We can provide assistance building an annual SOC review process, complete with CUEC considerations, or if you’re focusing on performing risk assessments of your vendors, we can help with asking the right questions, evaluating the responses and helping your business make good decisions when it comes to using cloud providers. We have extensive experience in evaluating vendors, assessing SOC2 reports and company Privacy Policies, and understanding the impact that your potential vendors will have on your environment and your business. Contact Cential today!