How do you know if you can trust a cloud service provider with your enterprise data? Skyhigh Networks, in conjunction with the Cloud Security Alliance, has developed a CloudTrust program that measures and evaluates more than 50 attributes that determine a trust rating.
In June 2013, David Linthicum wrote in InfoWorld, “The journey to the cloud has moved from Interest and study to experimentation, and now it is moving to true production. In the next few years, we’ll see the accelerating adoption of cloud computing, though perhaps with less hype.” Linthicum asserts that this acceleration will in large part be due to the trust that enterprises are willing to place on cloud services.
But where does that trust come from? Is it simply because, as Linthicum wrote, “data has resided in the cloud for years without huge security breaches” and “businesses have figured that out”? That hardly seems like a good reason to place trust in a cloud service or application where an enterprise’s data will live.
The Cloud Security Alliance (CSA) reminds us that cloud computing does indeed have the potential for threat that can be detrimental to enterprise data security. The CSA annually releases a report on the top threats to cloud computing. Some of the potential threats the CSA cited in its 2013 report include denial of service, account or service traffic hijacking, and abuse of cloud services.
It is in this atmosphere of confusion that Skyhigh Networks has put forth a new program aimed at giving enterprises confidence that their chosen cloud service providers have implemented a rigorous set of security measures meant to minimize risk to the enterprises. The Skyhigh CloudTrust Program provides an objective and comprehensive evaluation of a cloud service’s security controls and enterprise readiness based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance.
Skyhigh’s CloudTrust ratings for each cloud service are derived from more than 50 attributes across five categories:
2. User and Device attributes – For example, multi-factor authentication, use of enterprise identity, device pinning.
3. Service attributes – For example, Web app security, penetration testing, known service compromise history, IP filtering support.
4. Business attributes – For example, compliance certifications, user activity logging, admin audit logging, data access logging, service hosting locations.
Cloud services that attain the highest level of Skyhigh CloudTrust ratings earn the Skyhigh Enterprise-Ready designation, and a number of service providers have already earned that mark, including: Adobe EchoSign, Appcelerator, BambooHR, Birst, Box, Cisco WebEx, CollabNet, DocuSign, Gainsight, Host Analytics, HubSpot, Informatica, Jive Software, Lattice Engines, Marketo, Okta, Ping Identity, RingCentral, Salesforce, Workday, Yesware and Zuora.
There is no cost for qualified cloud service providers to participate in the program. Rather, the program is an objective measure of security and risk. The CloudTrust and Enterprise-Ready ratings are developed and continuously updated by Skyhigh’s Service Intelligence Team, a group of data scientists who use both automated processes and manual research to evaluate third-party services.
Why is this important to enterprise cloud users? For one thing, if they are to enable the safe and productive adoption of cloud services across the organization, they need visibility into the risks of using specific services. Also, many enterprises are increasingly conducting their own third party risk assessments in order to fulfill requirements mandated by regulations such as HIPAA, Sarbanes-Oxley, GLBA and PCI DSS. A private risk assessment of a cloud service provider can take months and cost tens of thousands of dollars. Like a SOC 1 report, a Skyhigh CloudTrust rating is one more objective evaluation that can reduce the need for an expensive and time-consuming risk assessment.
Organizations can request Skyhigh CloudTrust ratings for their preferred cloud services at no cost here. Skyhigh will email the results to the requestor.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.