Cloud security: Try these techniques now

From divvying up responsibility to using third-party tools, here's how some companies are approaching the problem.

1 2 3 4 5 Page 4
Page 4 of 5

Therefore, due diligence is critical, Anderson says. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Anderson also verifies the vendor's level of Safe Harbor compliance and checks Dun & Bradstreet research to make sure it's legitimate, he adds.

Another standard by which to evaluate a service provider is ISO 27001, which defines best practices for designing and implementing secure and compliant IT systems.

While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser. Companies still need to match a service provider's specific controls to their specific requirements, he adds.

For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq³'s IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. The company plans to repeat the process at least once a year, he says.

Cautioning users doesn't work

Many companies that want the cost benefits of cloud-based services but still have security concerns tell their end users not to put sensitive data on the cloud. But this is generally an exercise in futility, according to Heiser. "The problem is that users often don't know what's sensitive, and probably won't follow the rules anyway," he says. "You can assume that any application or data service end users can pump with data will get sensitive data eventually."

Cloud Compliance's Robbie Forkish
Robbie Forkish, founder of private-cloud-monitoring vendor Cloud Compliance, says his customers sometimes opt to re-upload data each time an application is run, despite the performance hit, because it means better security.

Pfizer is in the process of establishing a SaaS center of excellence to educate users about the correct way to deal with SaaS activities, Anderson says. In addition, his group is establishing best practices for procurement of SaaS services. Among other things, those best practices forbid applications that involve competitive or personally identifiable information from being included in a SaaS setup.

Basic security tasks such as access control and rights management become even more complicated when, as often happens, a SaaS provider outsources its infrastructure or development platform to another cloud-based service provider -- adding yet another party to the equation.

Take the case of Cloud Compliance Inc., which provides access-control monitoring services for private cloud environments. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to founder Robbie Forkish. However, he acknowledges that the arrangement introduces potential security problems. "There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers.

1 2 3 4 5 Page 4
Page 4 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon