Key questions to ask your service provider about security

Posted on June 27th, 2011 by Bethany McGrath | Tags: Provider, Provider Security

Back in March, IT services provider Avanade Inc. conducted a global study of 573 business leaders, asking them about their primary IT focus areas for the next 12 months. It comes as no surprise that cloud computing, security and IT consolidation topped the charts. While 60% of the companies surveyed said cloud computing is a top IT priority for the next year, 75% of the C-level executives in those companies place it at the top of the priority list.

Security ranks high, too, as it can never be separated from any computing architecture or solution. This week, we look at a few considerations for security in a cloud environment.

OVERVIEW: 12 ways the cloud changes everything

To continue reading, register here to become an Insider. You’ll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Security ranks high, too, as it can never be separated from any computing architecture or solution. This week, we look at a few considerations for security in a cloud environment.

OVERVIEW: 12 ways the cloud changes everything

Many organizations that are exploring or already using public cloud-based services are rightfully concerned about the risks associated with placing their data into someone else’s hands. Among the many questions that keep a CIO up at night: Is my data safe? Will my data cross country borders? What if my chosen vendor goes out of business? Will my company be in compliance with regulations that govern our business?

Security has always been central to IT and has evolved as technology extended from the LAN to the WAN to the Web and now to the cloud. One constant has been the need for tight control over access, authentication, auditing, administration and secure code development.

Security for cloud-based application services cannot be an afterthought; it must be built into the SaaS provider’s Web-based applications — from planning and design through launch and ongoing maintenance. The same is true for the controls over the IT infrastructure that hosts the SaaS services.

A service provider’s regard for security can be a market differentiator as well as a deal maker or breaker. Many customers will make their service provider selection decision on the basis of a provider’s security posture, in addition to how well the service maps to business needs.

Companies that have a strong risk management and compliance posture that are exploring SaaS services will want to examine a provider’s security competencies to assure these capabilities meet or exceed their specific business risk requirements. Key considerations would be how the company might be harmed if:

• Its data is breached or otherwise accessed by an unauthorized person;

• A process or function was manipulated by an outsider;

• A process or function failed to provide expected results;

• Its information or data were unexpectedly changed;

• The subscribed service and the company’s data were unavailable for a period of time.

To answer these and other questions, organizations shopping for a SaaS solution should perform a due diligence/risk assessment review of a provider’s information security governance, risk management and compliance structures and its processes and procedures to determine:

• How the provider’s facility and services are assessed for risk and audited for control weaknesses, including the frequency of assessments, and how control weaknesses are mitigated in a timely manner.

Love Gadgets

Archives

Categories

Tag cloud

Similar Posts