How to monitor the security and compliance of your cloud providers

Looking to save money and focus on core competencies, business owners are turning to cloud solutions — where someone else hosts their systems and manages their infrastructure. However, by using a third party, companies can lose the transparency they previously had with respect to the security, operations and controls around the technology.

“It’s put a premium on doing due diligence on the provider upfront to set a baseline understanding of what the cloud providers are doing — and ongoing how they deliver their services,” says Christopher Kradjan, a partner at Moss Adams LLP.

Smart Business spoke with Kradjan about cloud services risks, as well as cloud provider audits that are setting industry benchmarks.

What are the concerns with receiving services from a cloud provider?

When businesses self-hosted, they could observe and directly control the systems to understand if the systems were performing as expected, making changes as necessary. Now, they lose a lot of that transparency working with a third party.

With the ongoing cloud-based operations, companies want to see inside the operations to track performance, such as the system’s security and availability, its functional processing integrity, and the practices around maintaining privacy and confidentiality of the data.

What do business owners need to consider before selecting a cloud provider?

First, look at your current methods of using technology to understand the costs, staffing and implications of how you are delivering services now. Then identify the new system’s requirements and how you want it delivered.

Properly screen vendors through the request for proposal and procurement process, including taking time for demonstrations. Once you’ve narrowed it down to finalists, do reference check references to ensure the systems will work as expected, both from a technical standpoint and being able to achieve your expected ROI.

There are large, well-known cloud providers, but more are small businesses in their startup phase or still building out market share. They lack sophisticated infrastructure, raising questions about their long-term financial viability. Also, if they are successful, their ownership could sell the business to another provider.

You want a reliable vendor with staying power, but in order to have a continuity of operations, contractually you need to know who owns the data and have exit strategies if the vendor sells or goes out of business.

How should you monitor cloud services?

You need a good vendor management program that looks at the risks associated with each vendor and benchmarks the complexity of the solutions to determine the level of monitoring required. The sophistication of the data, level of importance, what it’s automating and its criticality to the business drive backward what is implemented.

If a business takes the time to do this properly, it winds up stratifying cloud providers into very low risk all the way up to moderate and high-level impact to create monitoring systems accordingly. High-risk areas may require vetting with a due diligence questionnaire or site visit, as well as regular reports from the cloud provider.

How can external audits help in this space?

Companies often ask cloud providers for insight into their business, and providers are continually filling out questionnaires. Therefore, many cloud providers are using SOC 2 (Service Organization Controls) reports, which are based on standardized attestation standards that measure how well the cloud provider is providing its services. The examination can attest to the security, availability, processing integrity, confidentiality, and/or privacy of the system.

In addition, the Cloud Security Alliance (CSA), a leading organization that evaluates cloud providers, has developed the Cloud Control Matrix (CCM) as part of its best practices for examining cloud providers.

The SOC 2 report can be mapped against the CCM for double value —the value of the independent SOC 2 attestation report, coupled with the depth and questions from the CCM — to create a rigorous benchmark.

With the SOC 2 examination and/or CCM, cloud providers can give answers to customers, while differentiating themselves in the market. These examinations help business owners with their upfront due diligence and ongoing monitoring. It can even be used as a gating function with the cloud providers to assess their quality and dedication to strong business practices.

Christopher Kradjan is a partner at Moss Adams LLP. Reach him at (206) 302-6511 or [email protected].

Insights Accounting is brought to you by Moss Adams LLP