The way business is run has changed rapidly in recent years, with instant and location-independent access to key resources becoming increasingly important. Migrating applications to the cloud is one of the most effective ways to meet this need. Companies can use the cloud to pursue mobile work strategies that enable employees to work at full capacity regardless of their location, while improving flexibility and cost efficiency by reducing infrastructure overhead.

With a large and growing market of cloud providers available for virtually any task, most companies have adopted a multi-cloud approach. According to Gartner, around 81 percent of companies that use a public cloud infrastructure use at least two different providers.

A multi-cloud approach can offer a company great flexibility, since new resources can be added or reduced depending on the situation. However, as with all technological innovations, moving to the cloud presents a number of challenges, many of which multiply with the number of providers used.

New layer complexity is added when it comes to localizing and securing distributed data in multiple environments. Compliance with data protection and security regulations is also becoming a more complicated task as companies have to consider storing data with different providers, possibly in locations around the world.

Companies using a multi-cloud approach must ensure that they align their strategy and the selected providers with their risk profile and take the time to do the necessary considerations, planning and communication to maximize the benefits and the potential risks to minimize.

Review cloud-based third-party providers

In order to do business in the cloud, a high level of trust must be placed in the third-party providers that host the service. Entrusting confidential data to a poorly secured cloud host is an open invitation to a data breach. That means businesses need to do a thorough review of all the cloud providers they work with.

However, it is common for this essential duty of care not to be carried out effectively. There are several reasons for this lack. A common problem is the lack of resources on the security team. The Netskope Cloud Security Report 2019 found that the lack of qualified personnel is one of the biggest challenges for security operations centers. The report also found that approximately half of cybersecurity experts see cloud-enabled security as one of the most valuable areas for ongoing education and training.

It is also common for security officers to be left in the dark when new cloud providers are added. Third parties introduced through departmental channels, for example, can be added to the environment while bypassing normal verification processes. Companies may not even consider large cloud infrastructure providers such as Microsoft Azure, AWS or the Google Cloud Platform to be third parties, which is why they are not checked with the same care.

Regardless of how the cloud service was introduced in the company, all new providers must perform the same standard checks to ensure that adequate security measures are in place.

Companies that already have a risk management process for third parties or suppliers can use this as a solid starting point. Regardless of the peculiarities of dealing with the cloud, the basics of third-party risk management continue to apply and will make a major contribution to the effective verification of cloud providers.

Focus on security

The most important aspect to focus on when evaluating a third-party cloud is how it interacts with your data and what the risks are. Will the provider process sensitive credit card data, personal data (PII), intellectual property or other business-critical assets? Are there any special compliance provisions such as GDPR, CCPA or PCI DSS that apply to this data?

After this assessment, the company should be able to assess whether the provider has the security measures in place to keep these assets safe and to comply with the regulations. If the cloud provider is able to meet the company’s security requirements and falls within its risk-taking area, it can proceed.

It is also important to integrate this risk assessment into the contract phase. Certain terms or contract details may change to reduce risk and ensure that the cloud provider does not avoid responsibility.

Regardless of how thorough the review and contract drafting is, companies should always assume that they ultimately bear all risk and responsibility for their data. The owner of the data is always the one who suffers fines, reputational damage and loss of customers.

This point has become particularly important as more privacy and security regulations have come into force. The GDPR and the CCPA both expressly state that an organization is still under review when it comes to violations of the data it holds, regardless of third party involvement.

Today there are cloud-based solutions for almost every business task, including cyber security. In addition to choosing third-party cloud providers, companies are also faced with the choice of using cloud tools to secure their cloud environment or sticking to non-cloud-based options. Both approaches have their own advantages and disadvantages, and the decision can have a long-term impact on how the company approaches cloud security as it continues to grow and develop its cloud strategy.

One of the top priorities should be to reduce complexity, especially in multi-cloud environments. Cloud-native tools are often localized to certain cloud platforms and may not be easy to customize for others. Non-native security solutions that can be configured to process multiple different clouds at the same time can be beneficial in a multi-cloud environment, saving costs and time. Even if an organization currently only uses a single cloud, there is a good chance that this will change. It is therefore important to look ahead and choose a solution that can deal with multiple clouds in the future.

Conversely, native cloud tools also help reduce the complexity of the security department, as much of the work and function of a team remains in the cloud environment. This approach reduces the need for the security team to deal with new tools because native tools do not add additional platforms and are designed to work seamlessly with the appropriate cloud environment.

Choosing the right third-party cloud provider and the tools to secure these environments is not an easy decision. Any addition to the network should include a careful and deliberate review process. This should take into account the organization’s internal risk tolerance, the potential impact of a security incident, and the long-term and short-term impact on the organization’s operations. These decisions will have a huge impact on the digital transformation of the company. Focusing on cyber resilience will help ensure that the company can grow and develop freely, including a multi-cloud approach, without taking unnecessary risks.

Mattias Deny, VP Managed Security Services EMEA, Trustwave

