The use of and reliance on third-party SaaS, PaaS, and IaaS solutions continues to grow year after year. A recent CyberArk survey of IT professionals found that 90 percent of organizations allow third-party vendors access to their critical systems. (Cyberark)
While there are certainly benefits of using a cloud provider for services, there are also associated risks. For example, 72 percent of respondents in the same Cyberark survey included risk from third party access in their top 10 security risks (Cyberark). If a cloud vendor is breached, your company data might be included in that breached data. Or, the malicious actor could access your critical systems using the cloud vendor’s access that you’ve granted.
Here are 6 questions to ask before selecting a cloud vendor:
#1 How can you proactively address the risk from cloud vendors?
- Determine your risk appetite.
- Maintain your own security program.
- Follow security best practices, including defense in depth and least privilege.
- Demand security from your cloud vendors.
Entire blog posts have been dedicated to these topics. However, in this article, we’re going to focus on the importance of demanding security from your cloud vendors.
#2 What’s one thing you can do to have more confidence in the security of your cloud vendors?
You can (and should) require your third party partners to be SOC 2 compliant.
#3 What is SOC 2?
The American Institute of Certified Public Accountants (AICPA) outlines a framework called SOC 2 that sets forth criteria for the people, process, and technology of vendor security. Furthermore, SOC 2 covers both organizational topics (e.g. tone at the top and HR topics like onboarding and offboarding), and technical topics (e.g. network, change control process, security awareness, business continuity, and alerts).
#4 How can an organization be compliant?
To be compliant, an organization needs to have an independent auditor review and attest to the way that the company addresses the risks outlined in the criteria. This provides an unbiased opinion from a qualified auditor based on a defined standard.
#5 What should I be asking for?
It’s important to know that there are two types of SOC 2 framework. For example, Type 1 is best for a design for controls and Type 2 is a test of controls). Require your cloud vendors to maintain SOC 2 Type 2 compliance. This demonstrates that your cloud provider’s controls successfully mitigated organizational risk over a specific period of time. Furthermore, your cloud provider should refresh it’s SOC 2 reports every 12 months. It is important to ask your vendor for their latest version on a regular basis.
#6 Does Capacity do this?
Capacity is proud to announce that we have successfully completed our SOC 2 Type 2 project through the most recent reporting period ending 9/30/19 with the services of Deloitte and Touche, LLP. In less than a year Capacity began and completed our SOC 2 project. This report adds to our list of security and privacy accomplishments since the company’s inception.