With the proliferation of cloud offerings in today’s marketplace, many companies are leveraging cloud-based business applications. Research shows that up to 50% of IT professionals rank security as a top reason for migrating applications to the cloud.
When considering utilizing a cloud services provider, what should you look for when evaluating vendors and their security practices? Do the security certifications really matter?
First, let’s take a look at a few of the most common cloud security certification our customers look for and what those certifications mean to you and your data:
ISO 27001 is an international standard that formally defines an Information Security Management System. When evaluating a cloud services provider, achieving ISO 27001 certification demonstrates a commitment to continually improve the security of your data and the systems that manage that data. It validates that the provider has a robust approach to maintaining the confidentiality, integrity, and availability of your data. ISO 27001 is the auditable international standard that defines the requirements to effectively manage and measure an information security management system (ISMS). One important note, when evaluating a cloud services provider on ISO 27001, there is a difference between being ‘certified’ vs being ‘compliant’. Being ISO 27001 certified means that the provider has met all of the requirements by an independent auditor. ISO compliant, however, means the provider follows the standards but haven’t been officially certified.
SSAE SOC 1 and SOC 2, which stands for Statement of Standards for Attestation Engagements 16 (a mouthful, I know) was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 2010. SSAE 16 engagements are generally performed by audit, risk, and control oriented professionals who have experience in accounting, auditing, and information security and allows an organization to have its control policies and procedures evaluated and tested by an independent party. Obtaining SSAE 16 certification provides an ability to build trust and confidence in the service delivery process for cloud providers.
FedRAMP is an assessment and authorization process used by the US Federal Government to ensure proper security is in place when accessing cloud computing products and services. Federal agencies must ensure that the cloud computing systems they use are FedRAMP certified before they can use them in production. As Mark Goldin, a CTO for Cornerstone OnDemand states, “The FedRAMP certification process is arduous, and it can take years for a vendor to achieve the “Authority to Operate" (ATO). So, if a cloud services provider is FedRAMP certified, it means their security practices and controls met a very high bar.”
DFAR 252.204-7012 is titled Safeguarding Covered Defense Information and Cyber Incident Reporting and mandates the implementation of the security requirements on defense contractor systems. Contractors are contractually obligated to implement the security requirements specified by the NIST SP 800-171. The objectives of the rule are to improve information security for DoD information stored on or transiting contractor information systems as well as in a cloud environment. The clause is flowed down to subcontractors.
Overall, obtaining security certifications provides a means for cloud providers to validate the protection of data from a comprehensive array of threats, ranging from cyber-attacks to staff negligence, from natural disasters to fraud. Having certifications help organizations use industry practices as a foundation for their data security strategy. By putting systems and processes in place, organizations can guard against the risk of information security breaches or the misuse of data and provide an industry-recognized level of security and protocols.
By ascertaining these certifications with the cloud providers you are evaluating, it allows you to expedite the security assessment process knowing they have met a standard level of security, delivery and compliance to protect your data.