Rank and file employees are pushing for greater adoption of cloud services to improve their own performance and deliver business growth, creating pressure on IT organizations to assess the security of these applications before permitting their use. A recent survey conducted by the Cloud Security Alliance found that, on average, IT professionals receive 10.6 requests each month for new cloud services. Equinix, the multi-billion dollar internet services company, is one organization that has a well developed internal process for evaluating cloud services they are considering bringing into the company for employee use.
What IT teams look for when assessing a cloud service
The CSA survey of IT professionals found that 71.2% of companies have a formal process for users to request new cloud services. But given that the process of assessing cloud services is still evolving and possibly due to the increased pressure of getting through a large number of requests, the report found that only 65.5% of the companies that have instituted a formal process actually end up following it. For those companies that do follow a process, here are some of the cloud service attributes they look for.
Authentication and identity
- Multi-Factor Authentication: Does the cloud service support authentication factors in addition to passwords such as an SMS code or phone token?
- Anonymous Use: Does the cloud service provider allow for anonymous access to the service?
- Identity Federation Method: What single sign-on methods does the cloud service provider support?
- Enterprise Identity: Does the cloud service provider support integration with enterprise directories or authentication providers?
- Certifications: Which compliance certifications does the cloud service provider have (e.g. SSAE16, ISO 27001, SOC2, PCI, HIPAA, etc.)?
- Data center protections: Does it have data center protections?
- User Activity Logging: Does the cloud service provider log end-user activities?
- Account Termination: What are the grounds for account termination with the cloud service provider?
- Data Retention: How long does the service store customer data after account termination?
- Data Sharing Policy: Does the service reserve the right to share customer data with third parties, and if so under what circumstances?
- Known Breaches: Has the cloud service provider had a (publicly disclosed) breach in its service?
- Known Malicious Use: Is the cloud service provider known to have (publicly disclosed) malware hosted on its site or known to be a drop zone for malicious code?
- Penetration Testing: Does the vendor perform penetration testing on a regular basis?
Expediting the onboarding process
Considering that it takes an average of 17.7 days to assess the security of a cloud service, the volume of cloud service requests puts enormous strain on the IT organization. When assessing cloud services, enterprises value the trust associated with the service more than anything else. The CSA survey showed that the most common reason for rejecting a cloud service, outside of already having a comparable cloud service in place, is the lack of trust. This is followed by lack of encryption and then data loss prevention.
As cloud adoption grows, companies are looking for ways to scale the due diligence process. Enterprises are increasingly using cloud access security brokers (CASBs) to support their onboarding process. While CASBs are primarily used to secure enterprise cloud usage, they also generally maintain a detailed database of cloud services and their security controls, which can be used to significantly expedite the cloud assessment process. To make this process more efficient, companies should look for maximum breadth (number of services covered), depth (number of attributes covered) and an established process of adding new services and updating existing ones.