Cloud Solutions – Vendor Management to Security Management

Proper due diligence of your vendors is an important part of your information security program. When one of your vendors is also a cloud solutions provider, managing this vendor comes with additional expectations. When you “enter the cloud”, these solutions become a critical part of your information technology environment and often process and manage critical customer data. As such, you need to think about your policies for data and systems management and your business continuity plan when you determine how to manage these vendors/solutions.

To begin, you need to understand what cloud service model you are using (or planning to use) and where your responsibilities lie. There are three types of service models:

Next consider the type of deployment model: private (managed service provider data centers), community (hosted Core providers), public (AWS, Azure), and hybrid (any option combined with your own data center). FFIEC AIO Cloud Computing guidelines state: “Regardless of the environment or service model used, the entity retains overall responsibility for the safety and soundness of cloud services and the protection of sensitive customer and entity information.”

Consider what process, procedures or controls you need to establish to properly manage the various cloud environments? Specify, within your policies, your role in server management, vulnerability management, configuration, software upgrades, user management, data management, and data protection. Consider business continuity testing and overall resiliency of your cloud solutions. Assess threats, vulnerabilities, and risks as part of your risk management program. Ensure proper due diligence in your third-party assurance reviews (e.g., SOC reviews, penetration tests, and vulnerability assessments) as this can provide an understanding of the cloud service provider’s control environment and their ability to meet your control expectations. Understand their architecture well enough to know what vendors are critical in the management of information security. You may even need to review what third-party vendors that your cloud vendors use and how they are performing their own due diligence.

Do not forget you are responsible for implementing, maintaining, and reporting on the use of the controls including breaches or incidents related to the controls or the cloud computing infrastructure. All cloud service-related components should be addressed as part of your IT Committee meetings and reported to the board of directors via the annual Information Security Policy report. Cloud solutions offer many benefits but remember you have a shared responsibility for security management of your cloud solutions.

Authored by: Renee Keffer, CBISO