Migrating data processing from in-house to a cloud provider has many considerations: one-time migration costs, total cost of ownership over time, new change control procedures, response time impact, and more. One of the most important considerations is assessing the cloud provider’s ability to protect the privacy of any sensitive or regulated data. Assessing the quality of security practices of the in-house infrastructure where full transparency is a given is hard enough (just ask the Greg Steinhafel or Beth Jacob, both previously executives at Target). Reaching similar levels of confidence in a third party is at least as hard, and requires different approaches.
The best first step retains an internal focus – documenting the data protection controls you have in place or planned as those necessary for your business. A control is a statement of a process meant to result in an outcome aligned with an organization’s business plan. A control objective is a metric for assessing the effectiveness of the control. For example, a control might be “encrypt all primary account numbers (PANs) upon receipt” with an objective of less than .01% exposure of clear text PANs per year.
You must establish a baseline of data protection practices you see as necessary for both passing your next internal or external audit and, more importantly, ensuring that your data and your customers’ data is soundly protected. Without this foundation, you are handicapped in any effort to assess a cloud provider’s data privacy protection practices.
Once this list is in hand, you should next ask the prospective cloud provider for a copy of a Statement of Standards for Attestation Engagements No. 16 (SSAE 16) audit report. SSAE 16, the official successor to the Statement of Auditing Standards No. 70 (SAS 70) that some may recall, is guidance to service auditors for assessing the internal controls in place of an organization providing services as a third party. If the provider does not have a recent audit report (no more than 15 months old, with 12 months or less preferred) or will not provide an unredacted copy of the most recent audit, this alone can be justification to continue your search for a better alternative.
If a copy of the audit report is provided, next assess what type of report it is. A Type 1 audit is simply an assessment of the controls stated to be in place by the service provider, and the auditor’s analysis of the potential effectiveness of those goals in achieving the control objectives. A Type 2 audit includes all of the activities in Type 1, plus assessment of the consistency of the controls’ implementation and effectiveness over time. A Type 2 audit is both more conclusive in its analysis and much more expensive for a service provider to obtain.
After determining which type of audit report is provided, compare the controls listed in the report to those you previously determined as necessary for your business. This may require some interpretation of both your internal list and the list from the audit report, reconciliation of terms or conventions, and discussion with operations personnel at the cloud provider to ensure understanding. From that, a gap report should be compiled, the list of controls in that list of gaps prioritized, and any critical items reviewed with the cloud provider.
The cloud provider should provide clear statement of which gaps they will commit to close (if any), what control(s) they plan to address each gap, and a deadline by which the new control(s) will be in place. This work to close the gaps should be closely monitored, and their presence confirmed in any subsequent SSAE No. 16 audit reports.
If one or more gaps remain, their importance to the success of your business plan must be estimated, and that judgment used to inform negotiations with the cloud provider. If it is determined that the cloud provider can be contracted even with the existing gap(s), then work should be completed to devise and implement appropriate compensating controls for critical gaps on your side of the relationship (i.e., encrypted all regulated data before transmitting to the cloud provider, ensure it remains encrypted in-transit, at rest, and in-use, and decryption keys are never passed into the cloud provider’s control).
Following these steps gives the best opportunity to assess the data security practices of cloud providers you are considering, and to estimate how any gaps between them and your best practices weigh into the calculation of long term total cost of ownership.
You may also find a prior entry in this blog, discussing my Three Laws of Data in the Cloud, useful reading.
Keith Bucher, Sr. Software Engineer at Prime Factors, will join me on Tuesday, October 28, at 1 PM, to discuss a particular strategy for increasing the protection of data privacy in the cloud, and ensuring that cloud provider staffmembers never have access to sensitive or regulated data. Click on the image below to register now.