Are your cloud partners secure enough? Ask for their rating!

By François Gratiolet
|
The future will be written in the clouds. Today, economic players and organizations are considering cloud solutions with a growing interest. According to a recent study done by ServiceNow, more than half of respondents worldwide (52%) said they would choose the cloud - in the SaaS or PaaS service model - as the preferred platform for deploying new business applications instead of owned infrastructures.

Always more cloud

At middle term, we can imagine that all organizations will use the cloud in one form or another. The exponential growth of processed data, the need to access huge IT resources over very limited periods of time, the willingness of the players to achieve economies of scale and to benefit from a flexible cost structure lead us towards ever more cloud. Nevertheless, this shift from an owned infrastructure to widely shared resources raises many issues related to cybersecurity. Cloud adoption shall be based on a clear strategy for data protection and IT systems.

Incorporating cybersecurity into its thinking

The economic actors that are considering the use of the cloud will be well advised to ask themselves what a secure cloud is. Answering this question is not obvious and subjective. The criteria to be taken into consideration are various and depend on the business activity to be carried out. While it has never been easier to access new IT resources, the challenge is to maintain control over these valuable assets today, and to preserve corporations from any data leakage, data theft, or loss of data integrity.

Regarding cybersecurity, in this case, the guarantees offered by cloud solution providers, in their great heterogeneity, can vary a lot. In this context, how to offer business the agility and flexibility required without compromising cybersecurity?

Evaluate, firstly, cloud service providers

Organisations are increasingly interconnected and depend on the digital resilience of their vendors. Thus, organisations have to handle a growing and huge number of cloud vendors, and face complexity to manage vendors’ cyber risks.

One answer is the approval process of cloud vendors, solutions or shared service providers, addressing the cybersecurity requirements. The idea is to evaluate a set of trusted providers that can give answers to future needs. This list of vendors and solutions must be carried out regarding the organisation’s cybersecurity strategy, which itself must be aligned with the business strategy.

However, assess the cybersecurity posture of cloud vendors can be time consuming. Disseminate questionnaires, analyse answers, interview vendors is a heavy process. It cannot be done for a full portfolio of vendors, but only for the key ones. In addition, answers from vendors may be incomplete and not objective at all. Organisations need to be equipped with the right staff and skills in order to understand the true of the false.

In order to go further, if they have the “right to audit” clause in business contracts, and enough budget, organisations will mandate a third-party to audit the vendors. According to their policy and willingness to cooperate, vendors may even refuse to be part of such a more in-depth assessment process.

The power of cybersecurity rating

Cybersecurity rating provides a clear answer to the question what a secure cloud is. Such rating is powered by analysts and a tech platform which automates scorings and can rate thousands of organisations in an efficient way. Rating makes it possible to measure, streamline the right cloud vendors selection according to the cybersecurity posture required by business, and monitor continuously their cybersecurity effectiveness. Therefore, for instance, during a request for tenders, organisations can benefit from an objective and independent rating to make smarter decisions. And it is the beauty of the model, leveraging platform-based cybersecurity rating services, organisations can get access to cloud vendors’ scores without any interaction with them, and can perform more assessments of more cloud vendors.

Continuous rating will also take into account the evolutions of the vendor’s environment. Therefore, organisations can also spot the riskiest vendors and launch their audit campaigns or more in-depth assessments according to their financial and human resources.

A virtuous circle

Tomorrow, with the emergence of a widely shared scoring system, organisations will more easily build strong partnerships based on objective and independent data, and reinforce their business resilience.

One vendor stating that it is the best or answering questionnaires is no longer enough. Such vendor will have to demonstrate the effectiveness of cybersecurity measures to protect the organisation, its systems, the data that it has to deal with. In order to demonstrate their professionalism, the most mature cloud vendors will display their cybersecurity ratings in order to reassure their clients or prospects and to differentiate themselves from their competitors. Such a rating certificate or attestation will demonstrate objectively the cybersecurity commitment of the cloud vendor. Beyond assessing business risks, cybersecurity rating benefit is to start establishing the necessary trust between the organisation and the cloud provider. At the end, the cloud provider will be considered as a real business partner, and not only as a vendor among a long list, and part of the vendor risk management process.

Once this is done, various departments within an organisation will be able to supply resources or adopt the cloud knowingly, efficiently, taking advantage of real economies of scale without undermining cybersecurity.