Last month I discussed the importance of ensuring you address security concerns as you migrate services to the cloud. Security, in my opinion, is the most important responsibility of an IT organization. The good news is that cloud services have matured to the point that they typically provide very secure environments, sometimes even more secure than an on premises solution. However, there are steps you need to take as you migrate to cloud processing to ensure security of your IT assets.
I previously listed a number of areas of focus to address security related to cloud based services and will now provide more details on each of them.
Due diligence on the cloud service provider
The most important consideration is picking the cloud services provider. For some situations, such as vendor specific hosting or SAAS application delivery, you really do not have a choice of provider. Even in those situations, you should still ensure the vendor is taking appropriate steps to ensure security of your data and allow for business continuity in the event of a disruption.
If you are evaluating multiple vendors make sure and ask what certifications they have, their experience with security breaches or outages (if any), technology they use to protect their processing environment from outside threats, experience with the healthcare industry (with references from existing customers), their operating history and their financial status (if not publicly available).
These considerations are as important, if not more so, than the cost of service since your primary consideration should be ensuring the vendor meets your security requirements and has both the necessary experience and financial resources.
Contractual terms in the agreement
Once you have selected a vendor you quickly move to contracting. Your ability to negotiate or modify the vendor’s standard agreement varies greatly based on specific vendor, type of service offered and size of the relationship. You may not be able to negotiate all these items to your satisfaction but at least review the agreement with them in mind, make changes to the extent possible and, if you are unable to negotiate a specific item with a vendor, ensure there are other ways to mitigate that risk.
Key terms to focus on in negotiations to protect your security interests include:
- Audit rights (ability of you or your designee to audit the vendor’s performance, provision of SSAE16 or similar such independent review, etc.)
- Data backup, redundancy and disaster recovery obligations
- Insurance coverages
- Indemnification obligations in the event you are harmed due to actions, or lack of actions, on the part of the service provider
- Termination options for breach or non-performance of identified security obligations (you really don’t want to terminate but having these options helps keep a vendor focused on delivery)
- SLAs to monitor performance with penalties for not meeting certain agreed-upon minimum performance levels
- Whether or not your environment is shared with other customers or only for your use
- Performance reporting and review meeting requirements
- Location of hosting site (can impact performance and you also need to ensure the physical location is in an acceptable area – not off-shore for example if that is a problem for your organization)
- Business Associate Agreement (if applicable)
Protecting the transit of data to and from the service provider
It is great to have a world-class cloud services provider and a secure internal infrastructure but if you do not have secure connectivity to the service provider none of that really matters. Pay special attention when deploying cloud services to ensure the connectivity to the provider is secure.
Encryption is a bare minimum and you need to consider private circuits (or very secure VPN access if over a share connection like the Internet) and multi-factor access controls. Access redundancy is also important since all the security in the work does not help if you cannot access your data. This is required also required as part of a larger business continuity plan.
Ongoing security reporting, audits and planning meetings
Once you have negotiated reporting requirements, SLAs, audit rights and regular review meetings do not put the agreement on the shelf and think the relationship will run itself. I have seen many clients work diligently on contract terms and then not manage to the contract once it is effective.
Make sure the vendor is providing the reports and conducting the meetings you negotiated. Also, invoke your audit rights to ensure the vendor is performing all the agreed-upon responsibilities in the agreement. Any significant agreement requires diligent management and cloud services agreements are no different.
If you make efforts to select the right vendor, negotiate a contract to protect your interests, ensure connectivity to the cloud services provider is secure and actively manage their performance there is no reason a cloud environment can’t be as secure, or even more so, than your in-house operations.
