In this age of digital transformation, many organizations are eager to migrate to the cloud. But it’s important to remember that not all clouds are created equal.
Just as no one needs to be told there are different types of clouds in the sky, no CIO needs to be told there are different types of clouds for managing your data. One cloud may be designed using best practices for security, but another might cut corners, placing your sensitive data at risk.
There’s also the issue of scale. Organizations might start by using just one cloud provider, but soon find themselves using dozens—and even hundreds—of different providers.
So what should you consider when deciding to move to the cloud, or to a new cloud provider? Here are some key questions to ask yourself, or your potential provider.
Does the provider fit your company’s size and security needs?
Many organizations are subject to a high degree of regulation and are frequently audited. The cloud provider must be able to demonstrate a proven track record of managing highly controlled and regulated data.
They should also have a comprehensive audit program in place to help your organization pass your own third-party and regulatory audits.
Can the provider keep up with change and risk?
Changes in cloud software happen so rapidly that by the time your next annual vendor review comes around the vendor may have hundreds of new features. Some may even have changed their entire technology stack.
Ensuring there are key controls in place to manage this influx of change is critical. Otherwise, the constant changes can open your organization up to unknown vulnerabilities.
Organizations should require their cloud provider to notify them of any significant changes to the product. The contract should also have a clause that states the provider may not materially lessen the security controls during the term of the contract. This ensures that while there will be innovation through constant change, they can’t weaken the security program that you have previously reviewed and approved.
Many cloud providers have implemented a product council to discuss upcoming product features and evolving security policies. Ask to be a member of the cloud provider’s product council—this will keep you up to date and provide valuable feedback on the cloud provider’s roadmap.
Many cloud providers also maintain product-update blogs to inform their customers of new product changes. Signing up for these ensures you won’t miss any new features—like new activity API logs or Bring Your Own Key (BYOK) encryption models—that would let you further increase the security of your data in the cloud.
What visibility and control is available?
It is important that the organization continues to have full visibility into how its data is being stored, processed, accessed and transmitted in the cloud.
Any service agreement with a cloud provider should clearly describe how the organization’s data is managed and protected. Apart from strong contractual controls, the organization must have near real-time visibility into how the provider is managing its data. A continuous monitoring model will allow you to pull all logs into your own Security Operations Center (SOC) to look for anomalies or changes.
In addition to transparency, control of your data is key. New features may be shipped every week, but you should have a choice of which features you want to enable and which features introduce a higher level of risk. Check if your cloud provider provides you with a self-service master feature switch, which lets you turn product features on and off.
For example, you could enable a feature to support Multi Factor Authentication (MFA), but disable a new feature that shares your data by email with third parties. This master product feature switch capability enables you to manage your cloud in accordance with your own policies and not your cloud provider’s release cycle, which could expose your organization to unnecessary risk.
Avoid the Turbulence
Cloud providers should be able to offer a far more secure model than legacy, on-premise providers. However, you should do your due diligence up front to select the cloud providers that can meet and exceed your security requirements. Otherwise, you may be left with unsophisticated providers that can’t adequately protect your data, and your journey to the cloud could be a turbulent and costly one.