It can be terrifying to hand over your business’ (and your customers’) sensitive data to a third party. No matter how rock-solid cloud providers like AWS and Azure seem, they, like every other piece of human-designed system, are vulnerable to outside threats.
Considering the complexity and overall arcane nature of modern-day technology, it can be near impossible to even assess whether your cloud provider is capable of meeting your security needs – especially if you are a company where security is pivotal to your success.
So how do you know which Cloud Service Provider (CSP) is safe to trust with your IT systems?
Let’s take a look at a sky full of cloud…service providers, and we’ll tell you what we see.
The Big Boys of CSPs
If you’re wondering how to evaluate CSP security, you’re probably already familiar with the major players in the space – but just for the sake of clarity, here are the biggest cloud providers in the world.
Amazon Web Services (AWS) – as you might expect – holds the largest market share at 62%.
Microsoft Azure is next, with roughly 20% market share.
Google Cloud Platform (GCP) holds 12% of the market.
Oracle, Alibaba and IBM all compete for that last little chunk of ~6 % of the market.
It’s essential to remember that while these giant mega-corporations may seem inherently secure, cloud security controls and policies vary based on providers, your location, your needs, your level of service, and so on. Doing your due diligence to ensure the provider aligns with what you need is just doing your job, really.
Key Areas to Evaluate in Cloud Service Provider Security
A sandwich shop’s security needs are going to be different than the CIA’s, but no matter what, there are some basic areas that can help you analyze your cloud service provider’s capabilities and weaknesses.
Data Privacy and Security: How does the CSP protect data at rest and in transit? Look for measures such as encryption, tokenization, and data masking.
Identity and Access Management (IAM): Does the provider offer robust IAM policies and procedures? Consider factors such as multi-factor authentication (MFA), role-based access, and user activity monitoring.
Incident Response: How does the CSP respond to security incidents? More importantly – how quickly?
Regulatory Compliance: Is the provider compliant with relevant industry regulations? If you’re in healthcare, for example, HIPAA rules will be more stringent than Pinkberry’s froyo regulations.
Security Architecture: What is the CSP’s security architecture? It should be designed to mitigate risks and defend against common threats. There are several ways to accomplish this.
Okay, What Should I Really Look For In A Cloud Service Provider’s Security?
Data Privacy and Security
Data, the essential lifeblood of any business, must be safeguarded at every and all costs, like a precious ruby of magical renown. This is your #1 priority when looking for a cloud provider for your business.
CSP data security means anonymizing and obfuscating your company’s data footprint, so that bad actors can’t even identify what data is your data – or even that data is being used in your organization.
The chosen CSP should employ robust security measures to protect your company’s data, both when it’s sitting in your servers, and when it’s being transferred. Encryption is a must-have – look for end-to-end encryption for maximum security – but you should also analyze your need for advanced features such as tokenization and data masking.
Identity and Access Management (IAM)
IAM is the gatekeeper of your digital assets – it’s basically a giant safe that holds your company’s precious digital bullion. It works the same way, too: if you don’t have the right passcode, you’re not allowed to see what’s inside the safe.
Analyze your CSP providers’ IAM systems. A robust IAM system should include features like multi-factor authentication (MFA) and role-based access control (RBAC), at the very least.
MFA adds an extra layer of security by requiring multiple forms of identification before granting access. You’ve probably had to do this online already. While it can be a pain in the rear end to have to use your phone to login, it can be a life-saver when it comes to your data.
Meanwhile the trusty concept of RBAC ensures that users only have access to the resources necessary for their roles. This means stratifying your company’s digital presence into tiers, with users’ access limited only to what they need to access. This limits the potential for leaks and vulnerabilities, as fewer people have access to swaths of your data.
Adherence to Standards and Frameworks
Look for providers that adhere to common standards such as ISO-27001, ISO-27002, and ISO-27017.
These indicate that the provider follows security best practices and actively strives to reduce risks. ISO-27018 is another important standard that signifies the provider sufficiently protects personally identifiable information.
Additionally, consider government and regulatory protocols like GDPR, CCPA, HIPAA, and PCI DSS, based on your industry. You could require even more stringent regulations on your data, depending on what type of work you’re in and where you do business.
Incident Response
This is an obvious one, but a big one, especially as your options are limited in terms of cloud service providers. Considering the size of most of these behemoth CSPs, you might think that they’d focus more resources on their giant, multinational clients than your business.
And honestly, you’re probably right. That’s why it’s important to grill your potential CSP with exactly how long you can expect a response if something – anything – happens to your IT systems.
The reality is despite all over their certifications, standards and track record, CSPs are not perfect and there’s a good chance you will have an IT incident where something goes down and your busienss is affected.
It’s critical that you get a clear statement from your CSP – in writing – about expected response times to particular incidents. They should also provide you with a robust and actionable incident response plan, so you can make sure you’ve done your diligence on that end.
Security Architecture
Finally, it’s important to assess the CSP’s security architecture. This includes their network security measures to protect against DDoS attacks, and firewalls. Most of this may be over your head, and that’s okay, so long as you’ve done your diligence on most everything else.
The 2022 Thales Cloud Security Report reveals that 45% of businesses experienced a cloud-based data breach or failed audit in the past year, emphasizing the importance of a robust security architecture.
Extra Tip: The Zero Trust Model
When it comes to protecting your data, you need to also share some of the burden.
The Zero Trust model, based on the principle of “never trust, always verify,” has gained popularity as a robust approach to cloud security. Essentially, this approach means that you treat every interaction with your network as a potential security threat, only allowing them access once they’ve gone through a number of identity checks.
The Zero Trust approach is good for improving your cloud security, but note that the big trade-off is that it is less efficient than an approach where user verification methods are less stringent. This could be too draconian for your business – but if data privacy and security are at the top of your list, then you might consider the ZT model.
Visit the NIST’s website for more information on Zero Trust strategy and architecture.
No Size Fits All
At the end of the day, we’re frankly limited to only a few choices of CSPs, all with similar offerings and all of similar sizes.
The key to evaluating cloud service provider security for your business is knowing what you need from your CSP – and demanding those things from them.
Remember: your business comes first, so don’t let these giants of the tech world push you around and put your data at risk with packages that don’t fit your needs. Securing your data in 2023 is key, so spending time on this area up-front will save you tons of problems down the road. Happy hunting!