What does a suburban roofing company have in common with a cloud supplier? The answer can be found in the passage of time. This conversation occurred with Sean Heide, research technical director at the Cloud Security Alliance, Chris Holland, VP of cloud services at Thales, and me, Steve Prentice, host of the Security Sessions Podcast. We discussed that one of the lessons that homeowners need to learn early on when they see those plastic signs advertising roofing work “guaranteed for twenty years” is that such a guarantee is meaningless if the roofing company has no intention of being in business that long. When it comes to roofing, as with many other sectors of our economy, there are many fly-by-night operations that sell something that they have no intention of supporting. But inexperienced consumers remain blind to such subterfuge, seduced instead by a false sense of security regarding the long-term safety of the roof over their heads.
This cautionary tale is a good thing to bear in mind when it comes to choosing partners and vendors in cloud technology. It’s not that these vendors are being intentionally fraudulent when offering their services to companies. Not at all. But it’s the time issue we need to be concerned with. Setting up a relationship with a cloud vendor is a multi-year commitment, and much will happen in the span of those years. Companies get acquired, or they might acquire other companies. The cloud vendor that they contract with might divest itself of some of its assets, or it, too, might change hands. Technology also changes quickly, and legacy issues such as unpatched vulnerabilities buried deep inside networks are something all too common.
Data boundaries are moving
Add to this the changes in regulations between countries – what was once acceptable in terms of data in transit or at rest no longer is, and this becomes something of a nightmare when the organization in charge of your data isn’t exactly sure where it is resting. As Chris Holland says, “If you look at the last few years, the various laws around the world have talked about who has the data, who processes the data, and what rights users have for that data. And now we’re seeing, in addition to the complexity that’s already in place, concerns about which country that data actually exists in because different countries have different laws and different jurisdictions. It’s yet another layer of complexity for organizations to manage, and it can be particularly challenging for large organizations who have customers and/or employees around the world.”
Sean Heide, research technical director at the Cloud Security Alliance, points out that the challenges aren’t simply there when an organization is shopping around for a vendor; they also exist once the relationship is established – a place where terminating or exiting the relationship is next to impossible. “It’s not just about onboarding new vendors,” he says. “Large companies have established relationships with existing SaaS companies…and they can’t afford to break them just because they’re not compliant. They need to find a way to make them compliant.”
Dig into the granular detail
So, as time goes by, a company’s data assets, like the tiles on a roof, don’t simply sit there undisturbed for years. There are forces acting upon them that must be understood. This means keeping the relationship between a company and its cloud provider front and center. “It’s having the ability to know what questions to ask and having that guidance and trust in the vendor that they will respond accordingly,” says Heide. “This is aside from things like SOC reports – it means digging deeper, looking at the architecture, and at what data is crossing borders, how internet connections are talking to one another. It means compiling all this knowledge and putting it together to draw a more granular conclusion.”
Although this appears to be an additional burden for organizations who have entrusted their data to their cloud services provider, it is vital that it be given top priority and appropriate scrutiny. Often, when questions are asked about location and colocation – where the data actually lives, the client company might find out that the vendor uses other cloud service providers to host the data for them – which means needing to learn about and understand these “vendor of my vendor” arrangements in terms of data movements, identity and access management, and compliance with local or regulatory laws which may differ from what was expected or even agreed upon.