Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit...
How To Identify a Trusted Cloud Provider: The Essential Security Certifications and Practices You Should Look For Although managing on-premises servers may be costly and time-consuming, businesses at least have some control when it comes to patching say, a newly discovered exploit or stopping a zero-day attack. Not so with the cloud. Cloud-based estates are at the mercy of cloud service providers to apply relevant patches and maintain the security of the infrastructure that they’re using.
That’s why it’s so important for organizations to ensure they’re partnering with trusted cloud providers, who can be relied upon to maintain an appropriate level of safeguarding and discipline when it comes to their security. And one of the most important ways they can establish the trustworthiness of a vendor is by seeking out those who have obtained relevant certifications.
SOC 1 and 2: Ever Popular and Important
There are several key accreditations that IT vendors and service providers can attain in order to demonstrate their competency in various areas, such as data privacy or information security.
One of the most frequently requested certifications by customers when delivering due diligence are SOC 1 and SOC 2 Type 2 standards established by the American Institute of CPAs (AICPA).
SOC 1 helps organizations examine and report on their internal controls relevant to their customer's financial statements. At the same time, SOC 2 focuses on controls relevant to the security, availability, processing, integrity, confidentiality, and privacy of customer's data. Cato is annually audited by a 3d party to ensure procedures and practices are followed and never neglected.
[boxlink link="https://www.catonetworks.com/resources/casb-demo/?utm_medium=blog_top_cta&utm_campaign=cato_demo_controlling_cloud"] Controlling Cloud Usage IT with Cato CASB | Cato Demo [/boxlink]
The ISO Family Is Well Known for Good Reason
The ISO27000 family of certifications is among the most popular and well-known. These certifications are independently verified and internationally recognised and are often regularly updated to reflect current best practices. When comparing cloud providers, IT leaders should look for those that adhere to a variety of well-known industry standards relevant to their business globally. Another recommendation is to focus not only on general security certifications, but also on cloud security and privacy protection as they become a prerequisite for doing business.
Cato Networks, for example, holds many certifications within this family, such as ISO27001, which sets out the specification for an information security management system (ISMS). This includes policies, goals and objectives, statement of applicability (SOA), roles and responsibilities (R&R), risk assessment, and treatment methods. This is one of the most well-known and requested certifications internationally, creating a “security first” approach in the organizational culture.
Achieving ISO27001 certification is often the first step on a vendor’s journey and is a prerequisite for earning further related accreditations. ISO27017 – also held by Cato – is one of the security standard’s extensions for cloud service providers, and addresses access control, cryptography, physical and environmental security, information lifecycle management, and other controls in the cloud. ISO27017 can help win new business as many organizations now worry about cloud security and want to ensure their assets are protected wherever they are stored or processed.
ISO27701 and ISO27018, meanwhile, are data privacy extensions that demonstrate that Cato has met the guidelines for implementing measures to protect Personally Identifiable Information (PII). ISO27701 focuses on establishing, implementing, and maintaining privacy information management system (PIMS), managing privacy risks related to PII, and helps to comply with GDPR and other data protection regulations. ISO27018 focuses on PII protection in the cloud and offers guidance on implementing privacy by design.
In order to achieve ISO27701 and ISO27018 extensions, organizations like Cato must follow the most comprehensive data controls delivered by an internationally recognized standard, which makes it easier for Cato and its solutions to provide assurances about their security and data protection practices. Cloud vendors should be constantly updating and adding to the library of certifications that they’ve achieved in order to demonstrate a deepening of their skills, and a continued commitment to their customers’ safety.
These certifications – as well as the many others held by reputable cloud providers such as Cato – are useful in proving a firm commitment to high standards of security and privacy. They can also play a valuable role in ensuring compliance with key regulatory frameworks, including the European GDPR, and the California Consumer Privacy Act – which is vital for supporting clients who are bound by these laws.
What to Consider Beyond Certifications
Certifications only tell part of the security story, however. In addition to accreditations, the actions of a company – as well as its attitudes and approaches to compliance - can also indicate whether a provider is serious about security. Along with recognizing the need for certification, and the important role that compliance plays in the business, organizations must continually evolve in their implementation, maintenance, and monitoring of compliance issues. This is why Cato is constantly investing in new capabilities, tools, and approaches which are needed to demonstrate accurate, deep, and real-time compliance with the security and privacy standards it adheres to.
For instance, while more traditional development life cycles places security and compliance testing as one of the final stages a solution would go through prior to deployment, Cato follows the ‘Shift Left’ approach. This concept, first popularised within the DevOps community, involves injecting processes such as testing and security into an earlier phase of project development, in order to identify potential problems more quickly and easily.
Another tactic borrowed from the world of DevOps is the adoption of data-driven decision-making. Instead of relying on data reflecting a specific point in time to conduct compliance audits, real-time data from live systems now allows for continuous monitoring and comparison with security standard. This provides a much more in-depth picture of compliance posture, as opposed to the high-level gaps revealed by more static methodologies.
In-depth, accurate data is also used much more heavily in risk models, which are now created using quantitative rather than qualitative analysis. This gives much better visibility of genuine risk factors and their potential impact, without relying on subjective perceptions. This reflects the broader change in attitudes towards compliance across the industry; where previously compliance tasks would have been handled by technical personnel and consultants, organizations will now often have entire teams dedicated to compliance, including representatives from GRC departments and the DPO’s office, which maintain ownership of related issues on a continuous basis.
Certifications are Essential for Building a Trusted Relationship
The relationship between a cloud service provider and their customer depends on trust. Ensuring that the right certifications are in place to demonstrate an ability to support the full range of client needs is an essential part of building and maintaining that trust. A robust certification and compliance posture is more than ever an essential part of security - and it can also create opportunities and win business worldwide if well managed and updated.
As businesses grow, they should take pains to ensure that their cloud provider – and the maturity of their certifications – is growing along with them. The commitment and expertise that these accreditations signify are invaluable for organizations as they scale and bespeak a partner that’s willing to go the distance. Remember: security is a marathon, not a sprint.