Have you ever had to make a critical decision rationalized by clear advantages but heavily reliant on trust? If so, how important was the role of external validation in the process? An example of trust-based decision in our culture is that around arranged marriages -- a long-standing tradition that has seen success and failure over the centuries.
Though not as critical a decision as marriage, most organizations today face a similar trust-based dilemma -- which cloud service provider to trust with their data? There is no debate over the rationale for cloud computing- performance, cost, and scalability to name a few. However, the lack of control and oversight could make organizations hesitant to hand over their most valuable asset -- information -- to a third party.
With any trust-based decision, external validation can play an important role. For example, we trust restaurants with certain health and hygiene certificates more than those without, given our inability to go into their kitchens and watch first-hand how they are making our food. Arranged marriages rely on positive feedback and references, mostly attested by the matchmaker.
It also relies on supporting evidence such as corroborations of relatives and more tangible factors such as education/career history of the potential bride/groom. With internet and social media, it has become easier to cross-check some of the information provided, but nonetheless, positive feedback from people we trust continues to play a key role in the process. In case of cloud service providers, independent validation such as certifications, attestation or other information protection audits could make or break a deal.
The notion of cloud computing may have existed as far back as the 1960s but cloud services took the form we know of today with the launch of services from big players such as Amazon, Google, and Microsoft in 2006-2007. Companies had to place “performance” on one end of the scale and “security and compliance” on the other end, having to constantly strike a balance.
This challenge is being addressed by the major providers in the market today through means and tools that verify compliance with the most demanded regulations, be it industrial or legal (eg PCI-DDS, ISO27001, NIST, GDPR, HIPPA). Numerous organizations and industries are still hesitant to adopt outsourced cloud services without assurance over information protection, despite these provisions. Moreover, data localization requirements enforced by regulation on certain types of data in some countries (eg financial data in Luxembourg, public records in the Netherlands) could further narrow down an organization’s options for cloud hosting.
We are often asked how external validations in the form of information protection audit reports foster the right level of trust. Here are our three top determinants:
Reputation of the auditor
The reputation of the auditor certifying or issuing audit reports for the cloud service provider’s information protection controls is of paramount importance when it comes to fostering trust. Assurance, like randomness or anonymization, cannot be achieved realistically in its true full form but one can gain reasonable assurance over the controls when a credible audit firm tests and subsequently validates the controls. Hence it is important to choose auditors with a good track record and reputation as that can strengthen the trust from clients, just like a matchmaker with more successful arranged marriages in their credentials.
Standards and scope
There is a host of internationally recognized information protection/cyber security standards to choose from when it comes to determining the mechanism for external validation including ISO, SSAE, NIST, COBIT. Service organizations such as cloud service providers need to assess which standards apply to their services and opt for the relevant audits accordingly. The choice is not always binary.
For example, a certain service provider processing financial data may need to implement a set of information security management controls based on ISO standards, data privacy controls aligned with regulatory requirements such as GDPR and controls around payment card processing based on industrial standards such as PCI-DSS.
In the case of arranged marriages, there are a lot of unwritten standards, which may differ by culture and upbringing of the families, at times triggering debate and judgment. Factors such as preferable age, religion, career, education, and family history could “define” such standards. Nonetheless, just like an information protection auditor, the matchmaker typically has the knowledge and experience to validate the applicability of each standard based on the specific scenario.
Once the assurance standards are selected, the scope of controls is of crucial importance in terms of applicability from both directions -- i) controls that match the nature of services of the cloud service provider and ii) controls that are important to the clients that want assurance. For example, a software as a service (SaaS) provider may need to place more importance to system/software development controls than an infrastructure service provider.
A client concerned about protecting their personal data may derive more assurance from privacy controls audits than those focusing on data integrity (albeit as important). Moreover, with outsourcing becoming more and more prominent in the IT world, the chain of trust between a client, service provider, their sub-service provider and so on become as strong as the weakest link, with assurance being needed across the chain.
The control sets do not come as one-size-fits-all, even though information protection standards are formalized and documented, which is why additional time invested in scoping can reap benefits, similar to how more time spent working out compatibility could help with the success of an arranged marriage.
Continuous assurance
The first successful audit performed by a reputed audit firm, using the relevant standards and right scope, can be a major milestone for a cloud service provider. It demonstrates how data entrusted to them by clients are protected. After all, external validations in form of audit certificates or reports facilitate swift market entry and revenue generation of the service provider.
However, maintaining the trust gained is imperative, as with any relationship. Year on year, the cloud service provider needs to pass the audits while the scope and method of testing controls need to adapt swiftly to trends and technology advancement. For example, organizations may be expecting their cloud service providers to implement controls with increased automation and standardization over time, cognizant of changing regulations and industry requirements. The service provider and auditor need to work together by periodically reviewing the scope and ensuring the requisite controls for continuous assurance are covered. In case of arranged marriages, the spouses do need to continually work on the relationship and trust. And yes, the matchmaker may still play a role (welcome or not) because it is in their interest that the marriage succeeds.
It is becoming increasingly common for organizations to ask their cloud service providers for evidence of external validation of information protection controls, before engaging in business or sharing data. External validation in form of audits are seen to foster trust over how data are protected by service organizations. Every decision comes with a risk, particularly those based on trust -- an intangible concept.
However, informed decision-making taking into consideration the key factors above can lead to a successful trust-based relationship, which is perhaps why, unlike what is depicted in TV shows or movies, arranged marriages can often be successful.
Husna Siddiqi CIPP/E, based in London, is global lead for Cloud Assurance at a major audit firm. She has a Master’s in cryptography and over 14 years of professional experience in Information Protection, prior to which she was a software engineer and university lecture. Dr Dalia Khader, CISSP, GSEC is the divisional CISO of a reputed insurance company, based in Luxembourg. She has over 15 years of experience in information security, including nine years in academia where she researched and taught applied cryptography and several years as security architect in a service provider.
