The CLOUD Providers
To say that CLOUD solutions are more and more popular is a truism, so reality shows us every day. Seeing small businesses use multiple CLOUD providers and even seeing fully dematerialized SMEs is becoming an increasingly common, even routine way of thinking.
The risks surrounding CLOUD providers
In my practice, I see multiple clients selecting CLOUD providers with some detachment. They tell themselves that they delegate part of their problems to someone else. On this point, they are absolutely right. CLOUD solutions have made life easier for many executives and will continue to do so.
Nevertheless, it is necessary to manage its risks well concerning cloud providers. Here are some valuable thoughts to consider when choosing CLOUD providers.
-
In Quebec, several SMEs sell SaaS applications. They are, therefore, themselves CLOUD providers. The vast majority make extensive use of CLOUD providers to carry out the development of their applications. We quickly see the pyramid or the chain of CLOUD providers. For a company at the top of the chain, this represents several CLOUD providers to consider. We have recently seen situations in the USA where a CLOUD provider has been attacked, and the threat is even affecting its clients. A chain is as strong as its weakest link.
-
The selection of CLOUD providers becomes a must, and a company must inquire as much as possible about a CLOUD provider before doing business with them. A risk analysis should be carried out before signing any contract. Management should accept this analysis and the underlying risks before moving forward.
-
In some organizations, some departments (e.g., HR, finance, etc.) negotiate directly with CLOUD providers without going through the security committee or IT department. This is a practice that must be strongly discouraged. With laws and regulations affecting personal data becoming more stringent and security risks in general, a company has no chance to take. Therefore, it is necessary to provide a single channel for the selection of CLOUD providers.
-
One of the only links between a CLOUD provider and its client is the contract or agreement. It is therefore essential to read it carefully and to negotiate specific clauses if necessary. Some will say that large CLOUD providers are not negotiable (Amazon, Google, Azure, etc.), this is true, but we must at least understand the agreements. It's often easier to negotiate with CLOUD providers for SaaS applications, and the highest risks are often with these types of providers. Here are some avenues to look at or negotiate in contracts. Clauses relating to:
-
The exit for each party (termination of the contract).
-
The transfer of data (especially personal).
-
Disputes resolution.
-
Communication of security or confidentiality breaches.
-
The destruction of data.
-
Data backup.
-
Compliance requirements.
-
-
One of the most critical risks for an organization is when it relies heavily on a SaaS application to manage the core of its business. Before moving forward with such situations, every contract clause must be read, adequately understood, negotiated and accepted. An organization must be able to turn quickly if the CLOUD provider has business continuity issues. Provisions must already provide for this type of situation.
-
Requiring a SOC 2 report is a good thing in itself but is it enough? This is often the only option a customer has at their disposal. It is therefore essential to know how to dissect a SOC 2 report. Attention should be paid to the exceptions raised in the report, and the section dealing with the cloud provider's subcontractors should be scrutinized. We must try to find out whether the subcontractors are solid. It must be remembered that a chain is as strong as its weakest link. At the limit, ask your auditor to help you analyze a SOC 2 report.
-
The laws and regulations affecting personal data in Quebec, Canada and Europe now bring new challenges and risks. It is necessary to fully understand what types of data will be hosted within the CLOUD provider and ensure that personal data is processed according to existing laws and regulations. Specific clauses in the contract should frame this aspect.
-
When a company evaluates a CLOUD provider and SOC 2 reports, other certifications exist, including one that is a little unknown: the STAR certification related to the Cloud Security Alliance (CSA). They have a STAR registry where you can find information about certain suppliers. It is a helpful tool to relate to your other analysis data.
-
Ensure that your security incident response plan is up-to-date and that the list of stakeholders reflects your current reality. In the event of a significant security breach, you may need to communicate quickly with your clients or CLOUD providers. It will be helpful to have an up-to-date list of stakeholders.
When I accompany my clients to obtain their certification, I attach great importance to CLOUD providers' risks. There is no doubt that the risks to this reality are set to increase. We are probably at the beginning of awareness by business leaders of the importance of adequately selecting its CLOUD providers, monitoring them and projecting the level of risks that the company is willing to accept about its CLOUD providers.