What to Consider When Choosing Managed Cloud Security Services
Cloud platforms make it easier for businesses to leverage complex technologies. Instead of buying, configuring, and managing a physical server, you deploy an instance of a server in the cloud. Instead of licensing, installing, and updating enterprise software, you deploy software for the time and purpose that you need through your provider. Cloud platforms provide many technical intricacies through a user interface, but sometimes how and what you should configure securely is not obvious. You may not be responsible for physical servers and networks, but you are responsible for the security configuration and privacy of business and customer data in the cloud.
That’s why it’s vital your company chooses the right cloud security provider or managed cloud security service to support you in your objectives. In this article, we will explore what a cloud security provider is and help you choose the right provider for your business. We’ll also take a look at some of the limitations of cloud security providers and what they can’t do.
What is a Cloud Security Provider?
Cloud security providers offer services that help businesses to use cloud environments securely. Companies in this space range from managed security service providers (MSSPs) who offer outsourced cloud monitoring and management to SaaS and cloud software vendors with products that help businesses to avoid common cloud security issues. Cloud security software typically leverages platform APIs, adding enhanced security functionality that is not available on the platform itself.
Among the services a cloud security provider may offer are:
- Security hardening, including configuration analysis to identify and mitigate vulnerable security and privacy configurations.
- Log analysis to identify security events and threats.
- Exploit prevention through patching or firewall configuration.
- Network intrusion and threat detection.
- Malware scanning and ransomware protection.
Cloud security providers typically have expertise in a specific cloud platform, although some offer solutions targeting multiple cloud platforms or hybrid clouds with cloud and on-premises infrastructure.
Does Your Business Need a Cloud Security Service?
Cloud platforms, including Amazon Web Services (AWS), operate a shared responsibility model for security. The vendor takes care of some aspects of security, leaving others to the customer. Where exactly the line is drawn depends on the service: IaaS leaves more to the user than SaaS, but the user always retains some responsibility.
For example, AWS provides secure data storage, but if the user uploads unencrypted data to an S3 bucket with misconfigured access permissions, the platform will do nothing to stop them.
That’s where cloud security providers come in. Cloud security providers help cloud users with their share of the cloud security and privacy burden. They offer services that enable businesses to avoid the type of mistake just described. However, the ultimate responsibility for information security and privacy always rests with your company. If private customer data leaks or your business fails to comply with HIPAA or PCI DSS, you will suffer the consequences, not the cloud security provider.
5 Questions to Ask Cloud Security Service Providers
Businesses should assess cloud security providers before engaging them, but information asymmetry can make this difficult. You may need help precisely because your organization lacks internal cloud security expertise. But without that expertise, how can you adequately assess the services on offer? A vendor compliance assessment can help, and in the initial stages of vendor research, asking the following questions will give you an idea of a prospective vendor’s capabilities. Ultimately, communication and clear expectations are key.
Is Cloud Security Your Core Competency?
Many MSSPs and cloud outsourcing service providers offer security-related services. However, “cloud security” is a broad area. A service provider may advertise their ability to make your cloud environment more secure. But their security efforts may be limited to deploying an off-the-shelf monitoring solution that will bombard your internal team with alerts. Also, the default services may not be as comprehensive as you need. For example, they may monitor Windows systems but not Linux.
That may be all you’re looking for, but an expert cloud security provider can go much further. They will employ a technical team with expertise in IT and cloud security. Their technicians will have hands-on experience with real-world cloud environments and understand how to mitigate potential security issues. Just as important, they will understand the regulatory environment your company operates in and how to leverage cloud technologies to maintain compliance.
Before engaging a cloud security vendor, ask about their experience, qualifications, certifications, and tools.
What Will You Do to Keep Our Data Secure?
This question elicits information about the vendor’s products and processes. As we said earlier, businesses need to know what cloud vendors mean by “cloud security.” You may want to ask the following questions:
- Will you assess our cloud environment’s configuration for mistakes that may cause security vulnerabilities?
- Will you monitor our environment for potential intrusions and malware?
- When you find a problem, will you help mitigate the risk, and what form will that help take?
- Do your services include asset discovery, threat intelligence, and behavioral monitoring?
- How do you document actions taken and assigned tasks?
If possible, you should have a clear idea of your cloud security issues before beginning the vendor selection process. If you know what you are trying to achieve, you can ask focused questions about how the vendor can help you meet those objectives. Businesses lacking internal cloud security expertise should consider hiring an independent third party to assess cloud security risks and develop a mitigation plan.
Does Your Infrastructure Comply with Information Security Standards?
Consider the following scenario. A company contracts with a cloud security provider to reduce risk and ensure sensitive data storage and processing complies with information security and privacy standards. The company gives the provider access to its cloud environment. Later, the provider’s network is hacked, and bad actors gain access to the data the company hired the vendor to protect.
This is not an unusual outcome, so it’s essential to verify prospective cloud security vendors follow best practices for their own infrastructure and software. Third-party security audits are helpful here. Ask prospective vendors to demonstrate they are compliant with relevant industry standards, such as SOC 2 and ISO 27001. Also, be sure to inspect their penetration testing results.
Do You Understand the Security and Privacy Concerns of My Industry?
Ensure that cloud security vendors understand your industry’s legal and regulatory requirements. The specifics vary, and a vendor focused on general cloud security concerns may not have the experience or expertise to help you comply with HIPAA, PCI DSS, FISMA, and other standards.
Do You Offer Security Awareness Training?
Cloud security concerns more than just technology. Many data breaches result from human error and inadequate awareness of security risks. Security awareness training tailored to your company’s security and compliance needs can reduce security risk while improving compliance.
The Limitations of Cloud Security Providers
A cloud security provider or managed security service provider can reduce security risks, but they can’t objectively verify that your cloud environment is secure or compliant. The optimal approach combines cloud security best practices with cloud security assessments and audits by a qualified independent auditor with cloud and information security expertise.
KirkpatrickPrice is a licensed CPA firm specializing in information security compliance. Contact a cloud security expert to learn how we can help your business improve cloud security and comply with relevant regulations and industry standards.