Key questions to ask your service provider about security

Back in March, IT services provider Avanade Inc. conducted a global study of 573 business leaders, asking them about their primary IT focus areas for the next 12 months. It comes as no surprise that cloud computing, security and IT consolidation topped the charts. While 60% of the companies surveyed said cloud computing is a top IT priority for the next year, 75% of the C-level executives in those companies place it at the top of the priority list.

Security ranks high, too, as it can never be separated from any computing architecture or solution. This week, we look at a few considerations for security in a cloud environment.

OVERVIEW: 12 ways the cloud changes everything

Many organizations that are exploring or already using public cloud-based services are rightfully concerned about the risks associated with placing their data into someone else's hands. Among the many questions that keep a CIO up at night: Is my data safe? Will my data cross country borders? What if my chosen vendor goes out of business? Will my company be in compliance with regulations that govern our business?

Security has always been central to IT and has evolved as technology extended from the LAN to the WAN to the Web and now to the cloud. One constant has been the need for tight control over access, authentication, auditing, administration and secure code development.

Security for cloud-based application services cannot be an afterthought; it must be built into the SaaS provider's Web-based applications -- from planning and design through launch and ongoing maintenance. The same is true for the controls over the IT infrastructure that hosts the SaaS services.

A service provider's regard for security can be a market differentiator as well as a deal maker or breaker. Many customers will make their service provider selection decision on the basis of a provider's security posture, in addition to how well the service maps to business needs.

Companies that have a strong risk management and compliance posture that are exploring SaaS services will want to examine a provider's security competencies to assure these capabilities meet or exceed their specific business risk requirements. Key considerations would be how the company might be harmed if:

• Its data is breached or otherwise accessed by an unauthorized person;

• A process or function was manipulated by an outsider;

• A process or function failed to provide expected results;

• Its information or data were unexpectedly changed;

• The subscribed service and the company's data were unavailable for a period of time.

To answer these and other questions, organizations shopping for a SaaS solution should perform a due diligence/risk assessment review of a provider's information security governance, risk management and compliance structures and its processes and procedures to determine:

• How the provider's facility and services are assessed for risk and audited for control weaknesses, including the frequency of assessments, and how control weaknesses are mitigated in a timely manner.

• What the provider considers to be critical service and information security success factors and key performance indicators (KPIs), and how the provider measures its IT service and information security management performance against those KPIs.

• What the provider's processes are to capture, assess and communication its legal, regulatory, industry and contractual requirements.

• Whether the provider's application design and development processes for security and security risk analysis utilize the Open Web Application Security Project (OWASP) list of top 10 vulnerabilities of Web applications.

• Whether the provider has a current SAS 70 Type II certification (note: this is relevant only in the United States).

• Whether the provider is currently ISO 27001 compliant or certified, and if not, whether the provider's IT environment is aligned with this framework.

Before signing any SaaS contract, you must be assured company information and data will be protected to the highest reasonable standards, and that the business will not be adversely affected due to application unavailability.

By asking the service provider probing questions pertaining to the topics outlined above, you can garner a holistic view of how well this service provider will meet your company's security needs. Critical touch certifications and controls to look for include SAS 70 Type II certification and/or ISO 27001 compliance or certification, and a range of security controls covering applications, communications and connectivity, data security and privacy, operations and management and regulatory compliance.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at


About Essential Solutions Corp: Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Startup Bromium takes aim at cloud security

A new security architecture for the cloud

Apple iCloud: How do you stay secure with this thing?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)