30 Tips in 30 Days Tip #23

Perform cloud provider cyber due diligence

Cloud technology delivers high efficiency and technology enhancement. But it also comes with inherent risk in transferring elements of your security responsibility — including governing access to your information, as well as the integrity and availability of your data — to your cloud provider.

Depending on the type of data your organization maintains, you could also have additional requirements specifying where your data can be stored and whether it can be accessed by foreign nationals. What’s more, legal and contractual requirements with your customers may have implications for providing evidence that your cloud service providers have effective security controls in place.

Much like evaluating a new raw materials supplier, you should do your due diligence on cloud service providers and make sure they meet your expectations and address your cybersecurity requirements.

Next steps

• Look for certifications: Reputable cloud service providers should be able to provide you with a SOC 2 report or HITRUST certification highlighting the effectiveness of their security controls. In sensitive federal government work, like with the Department of Defense, cloud providers should be able to show you their FedRAMP certification.
• Verify control performance: If your cloud service provider can’t provide you with control assurances via one of these reports or certifications, you’ll need to verify control performance on your own. To do so, you need to make sure you have a “right to audit” clause in your agreement. If you end up doing your own verification, bring along an experienced IT auditor to help verify the effectiveness of the cloud service provider’s IT general controls, specifically for how they manage access to your programs and data, change control and backup and recovery of your data.

Understand the shared responsibility model: Just because you moved to the cloud doesn’t let you off the security hook. Many cloud providers have a shared responsibility model (for example, here is Microsoft’s). Depending on the type of cloud service you’re consuming (e.g., software as a service or infrastructure as a service), your responsibility changes. You need to understand these differences and make sure you’re keeping up your end of the bargain.

SOURCE: WIPFLI